Skip to content

Security: adworzynski/ea-as-code

SECURITY.md

Security Policy

Reporting a vulnerability

Please report security vulnerabilities privately — do not open a public issue, pull request, or discussion for them.

Use GitHub's private vulnerability reporting: open the repository's Security tab and click "Report a vulnerability". This creates a private advisory visible only to the maintainers.

A good report includes:

  • a description of the issue and its impact;
  • steps to reproduce — a minimal ea command sequence or a small repository is ideal;
  • the affected version (commit SHA or tag) and your Python version.

We aim to acknowledge reports promptly, fix confirmed issues privately, and publish an advisory once a fix is available. Please give us a reasonable window to address the issue before any public disclosure.

What's in scope

EAaC is a deterministic local CLI and library (ea-core) plus prompt-only adapter plugins. It calls no remote services, runs no server, and stores no credentials. The most relevant classes of issue are therefore:

  • a crafted pack, preset, manifest, or artifact file that causes ea to write outside the intended paths or bypass the dry-run / --confirm write guard;
  • arbitrary code execution triggered by loading pack or repository data (packs are data and must never execute);
  • a validation or determinism escape that lets invalid state report as ok, or makes identical inputs produce different output.

Bugs with no security impact belong in a normal issue — see CONTRIBUTING.md.

Supported versions

The project is pre-1.0; only the latest main receives fixes. Pin a commit or tag for a reproducible install (see the README).

There aren't any published security advisories