| Version | Supported |
|---|---|
1.x |
✅ |
< 1.0 |
❌ |
Security fixes are backported only to the latest 1.x minor release.
Do not open a public GitHub issue for security reports.
Open a private security advisory via the repository's Security tab
(Security → Report a vulnerability). Provide:
- A clear description of the problem and the attack surface.
- Reproduction steps or a minimal proof-of-concept.
- The affected pack version (
VERSIONfile or.cursor/pack-version.json). - Your assessment of severity (critical / high / medium / low).
Encrypted communication is available on request.
| Stage | Target |
|---|---|
| Acknowledgment | within 48 hours |
| Initial triage | within 7 days |
| Fix or mitigation | depends on severity (critical: ≤ 14 days; others: next minor) |
| Public disclosure | coordinated with the reporter |
Harmonist ships two classes of assets, both in-scope for security review:
Shipped code — always in scope:
agents/scripts/*.py+hooks/scripts/*.{py,sh}— the enforcement layer. Any path traversal, command injection, or privilege escalation vector is a security bug.memory/memory.py+memory/validate.py— the supply-chain-sensitive CLI and validator. Bypassing secret-pattern scans or validator checks counts as in-scope.MANIFEST.sha256verification inupgrade.py/install_extras.py— any way to install a tampered source file is critical.scan_agent_safety.py— the prompt-injection scanner. False negatives on documented hostile patterns are in-scope.
Shipped prompts (agent .md files) — limited scope:
- Hostile content in agent bodies that tries to override the protocol,
exfiltrate secrets, or subvert review gates is a bug.
scan_agent_safety.pyis expected to catch these on the catalogue we ship; escapes are in-scope. - Prompts misbehaving under adversarial user input (jailbreak research) are out of scope — no LLM prompt is bulletproof.
Out of scope:
- LLM hallucinations or model-specific behaviour.
- Issues in third-party tools (Cursor, Claude Code, Copilot, etc.).
- Social-engineering attacks against maintainers.
- Run
python3 agents/scripts/check_pack_health.pyafter every pull. It verifiesMANIFEST.sha256, lints the catalogue, and runs the prompt-injection scanner. - Keep
.cursor/memory/*.mdin.gitignoreunless the project is public and the content has been reviewed. Memory files accumulate project-sensitive state. - Set
telemetry_enabled: falsein.cursor/hooks/config.jsonif local agent-usage counters are undesirable. - When upgrading a project, always use
upgrade.py --apply(not manual copy).--applysha-verifies every source file before it touches the project.