| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| < 0.4 | ❌ |
UniSchema handles constituent and donor data. If you discover a security issue, do not open a public issue with live credentials or production payloads.
- Use GitHub Security Advisories on this repository if available.
- Otherwise, open a minimal issue describing impact and reproduction steps without secrets or real PII.
We aim to acknowledge reports within 5 business days and provide a fix or mitigation timeline for confirmed issues.
- Set
WEBHOOK_SIGNATURE_REQUIRED=trueand unique HMAC secrets per vendor in production. - Set
MAPPING_SYNC_TOKENandDRIFT_AGENT_TOKENto long random strings; never commit.envfiles. - Set
TRUST_PROXY=trueonly when behind a reverse proxy you control (Fly, Railway, nginx). - Prefer S3 egress with IAM least privilege over long-lived root credentials.
- Review drift agent output manually — LLM-proposed mapper patches are not auto-deployed.
See docs/security-and-privacy.md for FERPA-adjacent guidance and data retention.
In scope: webhook authentication bypass, unauthorized mapping sync, drift queue data exposure, secret leakage in logs or egress, SQL injection via Drizzle queries, path traversal in local egress.
Out of scope: vendor-side webhook misconfiguration, downstream warehouse access controls, denial-of-service at the network edge (use Cloudflare/nginx rate limits in addition to app limits).