crm-cli is a local-only CLI tool — no network service, no remote API, no telemetry. All data stays on your machine in a single SQLite file. For a full technical breakdown of the threat model, attack surface, and design decisions, see spec/security.md.
Only the latest release receives security fixes.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
Do not open a public GitHub issue for security vulnerabilities.
Report privately via GitHub's private vulnerability reporting.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
You'll receive an acknowledgement within 72 hours and a resolution timeline once assessed.
# Protect your database (readable by other users by default)
chmod 600 ~/.crm/crm.db
# Protect your config (contains hook shell commands)
chmod 600 ~/.crm/crm.toml
# If using the filesystem mount, restrict access
chmod 700 ~/crmpip install koda
koda scan .
# Expected: 92/100 Grade A — 1 intentional finding (see spec/security.md §3)