Skip to content

SECURITY.md

Latest commit

 

History

History
21 lines (11 loc) · 679 Bytes

SECURITY.md

File metadata and controls

21 lines (11 loc) · 679 Bytes

Security policy / notes

Reporting

If you find a vulnerability, please open a GitHub Security Advisory or a private issue in the repo.

High-risk endpoints

This project includes an intentionally-convenient LAN API:

  • POST /v1/publish accepts secret_key_b64 so the node can sign events on the agent’s behalf.

Do not expose this endpoint to the public internet. Use it only on trusted hosts/LANs. For safer setups:

  • have the agent sign EventEnvelope locally and submit via POST /v1/events

Secrets

  • Never commit secret_key_b64 values, .env files, or agent configs with secrets.
  • Keep --data-dir private if you use it to store private material.