| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Please do NOT open a public issue for security vulnerabilities.
Instead, report vulnerabilities by emailing [SECURITY_EMAIL] with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and aim to provide a fix within 7 days for critical issues.
- Context isolation:
contextIsolation: true,nodeIntegration: false - Token storage: Uses Electron's
safeStorageAPI for encrypted credential storage - Path traversal guard: All file operations validated against workspace root
- Shell risk classification: Dangerous commands require explicit user approval
- IPC validation: All IPC inputs validated with Zod schemas
- CSP: Content Security Policy headers set on the renderer
- No remote code execution: No
eval(), nonew Function(), no remote module
| Threat | Mitigation |
|---|---|
| Token theft | safeStorage encryption, no plaintext storage |
| Path traversal | Workspace root boundary check |
| Command injection | Risk classifier + user approval gate |
| XSS via chat | React JSX auto-escapes, CSP headers |
| Malicious IPC | Zod schema validation on every handler |