Security fixes are applied to the latest development line.
| Version | Supported |
|---|---|
main |
Yes |
| older branches/tags | No |
Please report vulnerabilities privately using GitHub Security Advisories:
- Go to
Securitytab in the repository - Click
Report a vulnerability - Include reproduction steps, impact, and affected paths
Do not open a public issue for undisclosed vulnerabilities.
- Authentication/session handling (
packages/daemon/src/auth) - Hook ingestion and secret validation (
packages/daemon/src/api/hooks.ts) - Policy enforcement and audit paths (
packages/daemon/src/sessions,packages/daemon/src/api/inputPolicy.ts) - Encrypted env storage and secret handling (
packages/daemon/src/crypto) - Database migrations and integrity constraints (
packages/daemon/src/db)
Run locally:
bun run security:secrets
bun run security:depsCI enforces:
- Dependency vulnerability scanning (
bun run security:deps) - Secret leak scanning (
bun run security:secrets) - Format/lint/type/test/build gates
- Packaging allowlist verification (
bun run pack:check:fast)
- Never log plaintext secrets or credentials.
- Keep hook authentication (
X-CodePiper-Secret) mandatory. - Preserve policy semantics (
allow|deny|ask) and no-hook provider input preflight checks. - Prefer additive API changes and strict request validation.