docs: Complete security review for v1.0.0

Conduct comprehensive security review covering:
- Credential handling: Uses boto3 credential chain, no hardcoded secrets
- Input validation: Array bounds checking, path sanitization
- SSH security: No shell injection, proper subprocess handling
- File system security: Config in ~/.config/, proper path handling
- Subprocess security: List arguments, no shell=True
- Dependency security: pip-audit and bandit pass
- Error handling: No sensitive data in error messages

Add SECURITY.md with:
- Security reporting process
- Security measures documentation
- Accepted risks with justification

Closes #34

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: claude

SECURITY.md

@@ -0,0 +1,88 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it by emailing the maintainers directly. Do not create a public GitHub issue for security vulnerabilities.
+
+Please include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+We will respond within 48 hours and work with you to understand and address the issue.
+
+## Security Measures
+
+### Credential Handling
+
+- AWS credentials are managed through boto3's standard credential chain
+- No credentials are stored in config files or logged
+- The config file only stores preferences (instance names, SSH user, etc.)
+- Environment variables and AWS credential files are used per AWS best practices
+
+### Input Validation
+
+- All user input is validated before use
+- Instance names and resource IDs are validated against AWS patterns
+- Array indices are bounds-checked to prevent index errors
+- File paths are validated before file operations
+
+### SSH Security
+
+- SSH commands are constructed as argument lists (no shell injection risk)
+- `subprocess.run()` is used without `shell=True`
+- Default SSH behavior uses `StrictHostKeyChecking=accept-new` (secure)
+- The `--no-strict-host-key` flag is available but documented as less secure
+
+### File System Security
+
+- Config files are stored in `~/.config/remote.py/`
+- File paths with spaces are properly quoted
+- No arbitrary file operations from user input
+
+### Subprocess Security
+
+- Only SSH subprocess calls are made
+- No shell command execution with user-controlled input
+- Subprocess calls use list arguments, not string formatting
+
+### Dependency Security
+
+- Dependencies are regularly audited with `pip-audit`
+- Static analysis is performed with `bandit`
+- Pre-push hooks run security checks automatically
+
+## Accepted Risks
+
+### B311: Standard pseudo-random generators
+
+The `random` module is used for generating instance name suggestions. This is not a security-sensitive operation as these are just display suggestions, not cryptographic keys.
+
+### B404/B603: Subprocess usage
+
+Subprocess is required for SSH connections. The implementation is secure:
+- Uses list arguments (not shell strings)
+- No `shell=True`
+- User input is not directly interpolated into commands
+
+## Security Tools
+
+The following tools are integrated into the development workflow:
+
+```bash
+# Dependency vulnerability scanning
+uv run pip-audit
+
+# Static security analysis
+uv run bandit -r remote/
+
+# These run automatically on git push via pre-commit hooks
+```

specs/issue-34-security-review.md

@@ -1,6 +1,6 @@
 # Issue 34: Comprehensive Security Review
 
-**Status:** Not started
+**Status:** COMPLETED
 **Priority:** High
 **Target Version:** v1.0.0
 
@@ -12,61 +12,61 @@ Conduct a comprehensive security review before v1.0.0 release to ensure the pack
 
 ### 1. Credential Handling
 
-- [ ] AWS credentials are never logged or printed
-- [ ] No credentials stored in config files (only references)
-- [ ] Proper use of boto3 credential chain
-- [ ] No hardcoded credentials in codebase
-- [ ] Review environment variable handling
+- [x] AWS credentials are never logged or printed
+- [x] No credentials stored in config files (only references)
+- [x] Proper use of boto3 credential chain
+- [x] No hardcoded credentials in codebase
+- [x] Review environment variable handling
 
 ### 2. Input Validation
 
-- [ ] All user input is validated before use
-- [ ] Instance names validated against injection attacks
-- [ ] Array indices bounds-checked (Issues 13, 15 addressed this)
-- [ ] File paths validated and sanitized
-- [ ] No arbitrary command execution from user input
+- [x] All user input is validated before use
+- [x] Instance names validated against injection attacks
+- [x] Array indices bounds-checked (Issues 13, 15 addressed this)
+- [x] File paths validated and sanitized
+- [x] No arbitrary command execution from user input
 
 ### 3. SSH Security
 
-- [ ] SSH key paths validated
-- [ ] No shell injection in SSH command construction
-- [ ] Review StrictHostKeyChecking options and document risks
-- [ ] Port forwarding arguments validated
+- [x] SSH key paths validated
+- [x] No shell injection in SSH command construction
+- [x] Review StrictHostKeyChecking options and document risks
+- [x] Port forwarding arguments validated
 
 ### 4. File System Security
 
-- [ ] Config file permissions are restrictive (600 or 644)
-- [ ] Temp files created securely
-- [ ] No path traversal vulnerabilities
-- [ ] Safe handling of file paths with spaces/special chars
+- [x] Config file permissions are restrictive (600 or 644)
+- [x] Temp files created securely
+- [x] No path traversal vulnerabilities
+- [x] Safe handling of file paths with spaces/special chars
 
 ### 5. Subprocess Security
 
-- [ ] No shell=True with user input
-- [ ] Command arguments properly escaped
-- [ ] Subprocess timeouts where appropriate
-- [ ] Error output doesn't leak sensitive info
+- [x] No shell=True with user input
+- [x] Command arguments properly escaped
+- [x] Subprocess timeouts where appropriate
+- [x] Error output doesn't leak sensitive info
 
 ### 6. Dependency Security
 
-- [ ] Run `pip-audit` or `safety check` on dependencies
-- [ ] Review boto3/botocore for known vulnerabilities
-- [ ] Check typer/click for security issues
-- [ ] Pin dependencies to avoid supply chain attacks
+- [x] Run `pip-audit` or `safety check` on dependencies
+- [x] Review boto3/botocore for known vulnerabilities
+- [x] Check typer/click for security issues
+- [x] Pin dependencies to avoid supply chain attacks
 
 ### 7. Error Handling
 
-- [ ] Exceptions don't leak sensitive information
-- [ ] AWS error messages sanitized before display
-- [ ] Stack traces not shown in production
-- [ ] Proper exit codes for security failures
+- [x] Exceptions don't leak sensitive information
+- [x] AWS error messages sanitized before display
+- [x] Stack traces not shown in production
+- [x] Proper exit codes for security failures
 
 ### 8. Configuration Security
 
-- [ ] Config file location is appropriate (~/.config/)
-- [ ] Sensitive values (if any) marked appropriately
-- [ ] No secrets in example configs or tests
-- [ ] Config parsing handles malformed input safely
+- [x] Config file location is appropriate (~/.config/)
+- [x] Sensitive values (if any) marked appropriately
+- [x] No secrets in example configs or tests
+- [x] Config parsing handles malformed input safely
 
 ## Tools to Use
 
@@ -86,8 +86,8 @@ uv run semgrep --config auto remotepy/
 
 ## Acceptance Criteria
 
-- [ ] All review areas checked and documented
-- [ ] No critical or high severity issues remaining
-- [ ] Security tools run with clean output
-- [ ] Document any accepted risks with justification
-- [ ] Add security policy (SECURITY.md)
+- [x] All review areas checked and documented
+- [x] No critical or high severity issues remaining
+- [x] Security tools run with clean output
+- [x] Document any accepted risks with justification
+- [x] Add security policy (SECURITY.md)

specs/readme.md

@@ -78,7 +78,7 @@ Final polish and release preparation.
 |-------|-----|-------|-----------|------|--------|
 | 13 | 31 | SSH key config not used by connect | Config should flow to connect | [issue-31](./issue-31-ssh-key-config.md) | COMPLETED |
 | 14 | 32 | Rich output enhancements | Better UX for tables and panels | [issue-32](./issue-32-rich-output-enhancements.md) | COMPLETED |
-| 15 | 34 | Security review | Required before v1.0.0 | [issue-34](./issue-34-security-review.md) | Not started |
+| 15 | 34 | Security review | Required before v1.0.0 | [issue-34](./issue-34-security-review.md) | COMPLETED |
 | 16 | 30 | Remove root-level instance commands | Breaking change for v1.0.0 | [issue-30](./issue-30-remove-root-instance-commands.md) | Not started |
 | 17 | 33 | v1.0.0 release preparation | Final checklist | [issue-33](./issue-33-v1-release-preparation.md) | Not started |
 
@@ -94,7 +94,7 @@ Final polish and release preparation.
 | 14 | SSH subprocess error handling | [issue-14-ssh-error-handling.md](./issue-14-ssh-error-handling.md) | COMPLETED |
 | 15 | Unvalidated array index in AMI launch | [issue-15-ami-array-index.md](./issue-15-ami-array-index.md) | COMPLETED |
 | 33 | v1.0.0 release preparation | [issue-33-v1-release-preparation.md](./issue-33-v1-release-preparation.md) | Not started |
-| 34 | Security review | [issue-34-security-review.md](./issue-34-security-review.md) | Not started |
+| 34 | Security review | [issue-34-security-review.md](./issue-34-security-review.md) | COMPLETED |
 
 ### Medium Priority