keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/SECURITY.md
Parfii-bot a3f8e1f847 chore(prod-prep): root docs (CHANGELOG/CONTRIBUTING/SECURITY) + cargo update 
Root-level docs added per production-readiness audit:
- CHANGELOG.md — unreleased + pointer to git tags
- CONTRIBUTING.md — setup + PR checklist + Constructor Pattern
- SECURITY.md — reporting channel + threat model + known RUSTSEC list

cargo update applied: 19 patch/minor bumps (base64urlsafedata, blake3, cc,
crc-catalog, digest, filetime, h2, hashbrown, hybrid-array, idna_adapter,
js-sys, kqueue-sys, libc, nix, openssl, openssl-sys, pin-project,
pin-project-internal, redox_syscall).

9 RUSTSEC advisories from transitive deps remain (rsa 0.9 Marvin,
rustls-webpki x5, sqlx 0.8 Binary Protocol, async-std discontinued,
lru unsound IterMut, fxhash/instant unmaintained) — require major-version
bumps in direct deps, tracked in SECURITY.md "Known advisories" section.
2026-05-12 20:41:13 +08:00

1.7 KiB
Raw Blame History

Security Policy

Reporting a vulnerability

Email parfionovich@keilab.io with a description and reproduction steps. PGP key available on request.

Threat model

  • Secrets handling: see RULE 0.8 — all tokens via env vars, hardcoding blocked at PreToolUse:Edit by hooks/secrets-pre-guard.sh and Rust binary _primitives/_rust/secrets-guard/.
  • Banned-project leak guard: _primitives/_rust/kei-leak-matrix/ runs on every push attempt to flag known patent / IP markers.
  • Public-push gate: RULE 0.1 triple-confirm via hooks/no-github-push.sh before any push to publicly-reachable remote.

Supported versions

Latest v0.14.x tag. Older versions accept fixes for CVEs only.

Audit

See docs/SECURITY.md for the secret-pattern detector regex set used by secrets-guard.

Known transitive-dependency advisories (2026-05-12 audit)

cargo audit flags 9 RUSTSEC advisories from transitive deps (not used directly):

  • rsa 0.9.10 — RUSTSEC-2023-0071 (Marvin Attack timing sidechannel). Path: vendored RSA used by S3/auth crates.
  • rustls-webpki 0.101.7 + 0.102.8 — RUSTSEC-2026-{0049,0098,0099,0104}. Path: TLS in HTTP/auth deps.
  • sqlx 0.8.0 — RUSTSEC-2024-0363 (Binary Protocol Misinterpretation). Path: postgres clients.
  • async-std 1.13.2 — RUSTSEC-2025-0052 (discontinued).
  • lru 0.12.5 — RUSTSEC-2026-0002 (unsound IterMut).
  • fxhash 0.2.1, instant 0.1.13 — unmaintained.

Resolution requires major-version bumps in direct deps (sqlx 0.9, rustls 0.23+, rsa 0.10). Tracked separately; non-blocker for current dev usage (no untrusted RSA-decrypt path, no untrusted TLS-cert validation against malicious URI/wildcard names in current code-paths).