Do not open a public GitHub issue for security reports.
If you discover a security vulnerability in symphony-ts, please report it privately:
- Preferred: open a GitHub Security Advisory (Privately share a security vulnerability with maintainers).
- Alternative: email
janusz@forserial.orgwith[symphony-ts security]in the subject line.
Please include:
- A description of the issue and its potential impact.
- The version or commit you tested against.
- Steps to reproduce or a minimal proof of concept.
- Any suggested fix or mitigation.
This is a local-first, experimental project maintained best-effort. There is no SLA for security responses. The maintainer will acknowledge reports as time permits and coordinate disclosure timing with the reporter.
Only the latest released version receives security consideration. Pre-1.0 releases may have breaking changes; upgrade notes appear in CHANGELOG.md.
Security issues include credential leakage, path traversal in workspace handling, unsafe deserialization, command injection in the Codex/CLI surfaces, and similar concerns. General bugs, feature requests, and configuration questions belong in regular issues, not security reports.