Please report security vulnerabilities privately — do not open a public issue, pull request, or discussion for them.
Use GitHub's private vulnerability reporting: open the repository's Security tab and click "Report a vulnerability". This creates a private advisory visible only to the maintainers.
A good report includes:
- a description of the issue and its impact;
- steps to reproduce — a minimal
eacommand sequence or a small repository is ideal; - the affected version (commit SHA or tag) and your Python version.
We aim to acknowledge reports promptly, fix confirmed issues privately, and publish an advisory once a fix is available. Please give us a reasonable window to address the issue before any public disclosure.
EAaC is a deterministic local CLI and library (ea-core) plus prompt-only adapter
plugins. It calls no remote services, runs no server, and stores no credentials. The most relevant
classes of issue are therefore:
- a crafted pack, preset, manifest, or artifact file that causes
eato write outside the intended paths or bypass the dry-run /--confirmwrite guard; - arbitrary code execution triggered by loading pack or repository data (packs are data and must never execute);
- a validation or determinism escape that lets invalid state report as
ok, or makes identical inputs produce different output.
Bugs with no security impact belong in a normal issue — see CONTRIBUTING.md.
The project is pre-1.0; only the latest main receives fixes. Pin a commit or tag for a
reproducible install (see the README).