Thanks for helping keep Dirgha Code and its users safe.
Please do not file a public GitHub issue for security problems.
- Preferred: private vulnerability report through GitHub's Security Advisories.
- Alternative: email
security@dirgha.aiwith the wordSECURITYin the subject.
We will acknowledge within 24 hours (business days) and aim to triage within 72 hours. We will keep you informed through remediation and credit you in the advisory unless you prefer to remain anonymous.
In scope:
- The
@dirgha/codeCLI and any code in this repository. - The
api.dirgha.aigateway as used by the CLI (auth, credit handling, routing). - Supply-chain issues in direct production dependencies declared in
package.json.
Out of scope:
- Rate limits or availability of upstream model providers (report directly to the provider).
- Issues requiring a user to run a modified, forked, or untrusted build.
- Social-engineering attacks that rely on convincing a user to disclose their own API keys.
- Denial-of-service via provider rate limits.
- Vulnerabilities in example code under
docs/orexamples/that are explicitly for illustration.
High priority:
- Remote code execution or sandbox escape in the CLI.
- Prompt-injection vectors that cause the CLI to exfiltrate secrets, escalate tool permissions, or perform unconfirmed destructive actions.
- Credential leakage — logging, persistence, telemetry, or transmission of user API keys, session tokens, or file contents to unintended destinations.
- Auth bypass on the gateway (ability to consume credits without a valid session, or act as another user).
- Billing bypass (circumvent credit checks, forge webhook events).
- Supply-chain compromise (malicious version of a dependency we ship or pin).
Lower priority but still reportable:
- Privilege escalation in the permission system.
- TOCTOU or race conditions in file-lock handling.
- Insecure defaults in a supported configuration.
We ask that you:
- Give us reasonable time to remediate before public disclosure (90 days is typical; we will request longer only if the fix genuinely takes longer).
- Do not access or retain user data beyond what is needed to demonstrate the issue.
- Do not run destructive tests against production infrastructure — a minimal proof-of-concept is sufficient.
Contributors who report valid issues are credited in THANKS.md and in the GitHub Security Advisory, unless they opt out.
The following vulnerability classes were identified and fixed during the v1.18.0 audit cycle (May 2026):
| Class | Fix | File |
|---|---|---|
Shell injection via shell: true in hooks |
Replaced with argv-split spawn(bin, args, { shell: false }) |
src/hooks/config-bridge.ts |
| Path traversal bypass via unvalidated relative paths | Relative paths now resolved against cwd before bounds check | src/safety/policy.ts |
Seatbelt profile injection via ) metacharacters |
Unsafe characters rejected before escaping | src/safety/sandbox/seatbelt.ts |
PowerShell command injection in /paste |
Base64-encoded script path in -EncodedCommand |
src/cli/slash/paste.ts |
| Null object spread crash via malformed config | value !== null guard added to merge function |
src/cli/config.ts |
| Model choice silently discarded in wizard | cfg.defaultModel → cfg.model key fixed |
src/cli/flows/wizard.ts |
| Stdin hang on approval read | Error listener + settled flag prevent hang on TTY close | src/tui/approval.ts |
Path traversal in /memory commands |
assertValidKey() enforced in get, upsert, remove |
src/context/memory.ts |
Path traversal in /session rename |
basename() validation on session id before path construction |
src/cli/slash/session.ts |
Path traversal in scaffold --name |
basename() guard rejects names with path separators |
src/cli/subcommands/scaffold.ts |
| API key leak via overlay focus collision | inputFocus=false when KeySetOverlay or ApprovalPrompt active |
src/tui/ink/App.tsx |
If you need to encrypt your report, request a public key at security@dirgha.ai.