Security Policy¶
Supported Versions¶
The project is pre-1.0; security fixes are applied to the latest released version. Older versions may not receive backports.
Reporting a Vulnerability¶
Email: team@tenets.dev (or team@manic.agency if unreachable)
Please include: - Description of the issue - Steps to reproduce / proof-of-concept - Potential impact / affected components - Your environment (OS, Python, tenets version)
We aim to acknowledge within 3 business days and provide a remediation ETA after triage.
Responsible Disclosure¶
Do not open public issues for exploitable vulnerabilities. Use the private email above. We will coordinate disclosure and credit (if desired) after a fix is released.
Scope¶
Tenets runs locally. Primary concerns: - Arbitrary code execution via file parsing - Directory traversal / path injection - Insecure temporary file handling - Leakage of private repository data beyond intended output
Out of scope: - Issues requiring malicious local user privilege escalation - Vulnerabilities in optional third-party dependencies (report upstream)
Security Best Practices (Users)¶
- Pin versions in production workflows
- Run latest patch release
- Review output before sharing externally
- Avoid running against untrusted repositories without isolation (use containers)
Patching Process¶
- Triage & reproduce
- Develop fix in private branch
- Add regression tests
- Coordinate release (patch version bump)
- Publish advisory in CHANGELOG / release notes