The Homie is in public preview. Security fixes land on master and the latest
release tag only; older alpha tags are not patched.
| Version | Supported |
|---|---|
Latest release (v0.1.x-alpha) |
✅ |
master |
✅ |
| Older tags | ❌ |
Report vulnerabilities privately through GitHub's private vulnerability reporting: the repository's Security tab → Report a vulnerability. Please do not open a public issue for security reports.
Include what you can: the affected component (channel adapter, orchestration API, browser executor, install scripts, …), reproduction steps, impact, and any suggested fix.
This is an alpha project maintained on a best-effort basis. Expect an acknowledgement within a few business days; fixes are prioritized by impact. There is no bug bounty program.
In scope: code in this repository — the chat router and channel adapters, the cognition and memory pipelines, the orchestration service and its local API, the runtime/provider layer, the dashboard and Desktop shell, and the install scripts.
Out of scope: your own deployment configuration, credentials you supply for optional integrations (Google, Asana, Slack, banking providers, …), and vulnerabilities in third-party model providers or platforms the framework talks to — report those upstream.
Defaults are conservative; the README's Security & Data Handling section describes them in full. Highlights:
- Local-first Markdown vault; no hosted service or account.
- Per-channel user/guild allowlists.
- External write actions (posting, sending, connection requests, DMs) are default-denied behind exact approval phrases, with an audit row per attempt — see the Social-Write Executor contract.
- Durable identity/memory mutation passes a default-deny evidence and policy gate with an append-only ledger and rollback snapshots — see the Living Self Manual.
- Telemetry (Langfuse, Sentry/GlitchTip) is opt-in and off by default.
Before exposing an instance beyond your own machine:
- Set the channel allowlists (
TELEGRAM_ALLOWED_USER_IDS,DISCORD_ALLOWED_GUILDS/DISCORD_ALLOWED_USERS) before sharing any bot token or invite link. - Keep environment files out of version control — the shipped
.gitignorecovers.claude/scripts/.env— and rotate any token you suspect leaked. - Set
ORCHESTRATION_API_TOKENif anything other than localhost can reach the orchestration API on port 4322. - If you enable Langfuse, prefer a self-hosted instance so traces stay inside your infrastructure.
- Review
install.sh/install.ps1before piping them to a shell — they are short, plain scripts.