denis
305787fae3
Some checks are pending
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / preflight (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / vps-smoke (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:frustration-matrix,kei-frustration-loop,kei-skill-importer,kei-projects-index,kei-projects-watcher,kei-gdrive-import,kei-leak-matrix,kei-skills,kei-gateway,kei-cron-scheduler,kei-export-trajectories,kei-backend-daytona,kei-d… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-compute-baremetal,kei-compute-vultr,kei-compute-linode,kei-compute-digitalocean,kei-svc-systemd,kei-llm-bridge-mlx name:hosted-sleep-compute]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-diff,kei-scheduler,kei-watch,kei-prune,kei-discover,kei-brain-view,kei-hibernate,kei-ledger-sign,kei-fork name:wave13-15]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-git-gitea,kei-git-forgejo,kei-git-gitlab,kei-git-bitbucket,kei-memory-sled,kei-memory-redis,kei-memory-postgres,kei-memory-sqlite,kei-auth-google,kei-auth-apple,kei-auth-magiclink,kei-auth-webauthn,kei-notify-slack,kei-n… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-ledger,kei-migrate,kei-changelog,kei-memory,kei-store,kei-conflict-scan,kei-refactor-engine,kei-graph-check,kei-shared,kei-dna-index,kei-pet name:core]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-machine-probe,kei-llm-ollama,kei-llm-llamacpp,kei-llm-mlx,kei-llm-router,kei-model name:llm-stack]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-router,kei-sage,kei-task,kei-chat-store,kei-crossdomain,kei-search-core,kei-content-store,kei-social-store,kei-curator,kei-auth,kei-artifact name:mcp-lbm]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:keisei,kei-forge,kei-runtime,kei-runtime-core,kei-atom-discovery,kei-agent-runtime,kei-capability,kei-provision,kei-entity-store,kei-pipe,kei-cache,kei-spawn,kei-replay name:atom-substrate]) (push) Blocked by required conditions
32 lines
1.7 KiB
Markdown
32 lines
1.7 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a vulnerability
|
|
|
|
Email `parfionovich@keilab.io` with a description and reproduction steps. PGP key available on request.
|
|
|
|
## Threat model
|
|
|
|
- Secrets handling: see RULE 0.8 — all tokens via env vars, hardcoding blocked at PreToolUse:Edit by `hooks/secrets-pre-guard.sh` and Rust binary `_primitives/_rust/secrets-guard/`.
|
|
- Banned-project leak guard: `_primitives/_rust/kei-leak-matrix/` runs on every push attempt to flag known patent / IP markers.
|
|
- Public-push gate: RULE 0.1 triple-confirm via `hooks/no-github-push.sh` before any push to publicly-reachable remote.
|
|
|
|
## Supported versions
|
|
|
|
Latest `v0.38.x` tag. Older versions accept fixes for CVEs only.
|
|
|
|
## Audit
|
|
|
|
See `docs/SECURITY.md` for the secret-pattern detector regex set used by `secrets-guard`.
|
|
|
|
### Known transitive-dependency advisories (2026-05-12 audit)
|
|
|
|
`cargo audit` flags 9 RUSTSEC advisories from transitive deps (not used directly):
|
|
|
|
- `rsa 0.9.10` — RUSTSEC-2023-0071 (Marvin Attack timing sidechannel). Path: vendored RSA used by S3/auth crates.
|
|
- `rustls-webpki 0.101.7 + 0.102.8` — RUSTSEC-2026-{0049,0098,0099,0104}. Path: TLS in HTTP/auth deps.
|
|
- `sqlx 0.8.0` — RUSTSEC-2024-0363 (Binary Protocol Misinterpretation). Path: postgres clients.
|
|
- `async-std 1.13.2` — RUSTSEC-2025-0052 (discontinued).
|
|
- `lru 0.12.5` — RUSTSEC-2026-0002 (unsound `IterMut`).
|
|
- `fxhash 0.2.1`, `instant 0.1.13` — unmaintained.
|
|
|
|
Resolution requires major-version bumps in direct deps (sqlx 0.9, rustls 0.23+, rsa 0.10). Tracked separately; non-blocker for current dev usage (no untrusted RSA-decrypt path, no untrusted TLS-cert validation against malicious URI/wildcard names in current code-paths).
|