Squire spawns subprocess children based on caller-provided binaries and merges into the caller's ~/.claude/settings.json file. If you find a security issue (subprocess escape, settings-file corruption, MCP config injection, etc.), please report it privately.

Email: ejredd2007@gmail.com Subject prefix: [squire security]

Please include:

• Squire version (npm ls @pythonluvr/squire)
• Node version, OS
• Minimal repro
• Impact assessment (what an attacker can achieve)

We aim to acknowledge within 72 hours and ship a patch on the v1.x line within 14 days for confirmed issues.

In scope:

• The public API surface in src/index.ts.
• The settings.json merge in src/autosetup/.
• The MCP config writer in src/mcp/forwarder.ts.
• The spawn logic in src/spawn.ts.

Out of scope:

• Vulnerabilities in the child CLIs Squire spawns (report those to the CLI vendor).
• Misuse of the public API (for example, passing untrusted input as binary).

The current v1.x major line receives security fixes. Older majors do not.