If you find a security vulnerability, do not open a public issue.
Contact directly:
- GitHub: SamBleed
- Repo: opencode-obsidian
Vulnerabilities will be addressed within 48 business hours.
This policy covers:
- OpenCode skills in
skills/ - Scripts in
bin/andscripts/ - n8n workflows in
automation/n8n-lab/ - Hooks in
hooks/hooks.json - Tests in
tests/
- No hardcoded API keys in scripts (verified by
make test-scripts) - Keys live in
.env(gitignored) or in n8n credential vault - Test suite scans for secret patterns on every run
- AOC v4 webhook supports
x-aoc-secretheader - Rate limiting by source implemented in the pipeline
- Secret redaction in logs and payloads
- Dry-run mode by default (
AOC_DRY_RUN=true)
- Ingest server binds to
127.0.0.1:9090by default - n8n exposes only on localhost
- Autoresearch validates and sanitizes URLs before fetch
- Content sanitization: prevents wikilink injection and scripts in external sources
- n8n container with version pinning
- Secret scanning in test suite
- npm audit as recommended practice
- Never commit
.env, API keys, tokens, or credentials - Use environment variables for sensitive configuration
- Run
make testbefore pushing (includes secret scanning) - Keep n8n updated (regular docker pull)
- Do not expose n8n to the internet without a reverse proxy with SSL
- Configure
x-aoc-secretbefore activating the AOC v4
# Verify no secrets in repo
make test-scripts
# Verify vault integrity
./bin/bunker-check.sh
# Verify n8n is not exposed (should only show 127.0.0.1:5678)
ss -tlnp 2>/dev/null | grep 5678 | grep -v 0.0.0.0 || netstat -tlnp 2>/dev/null | grep 5678 | grep -v 0.0.0.0