Skip to content

Security: ta2jam/morfeus

SECURITY.md

Security policy

Project status

Morfeus 0.0.x is experimental and limited to trusted local workers. It does not currently provide a sandbox, capability jail, secret isolation, or a general exactly-once side-effect guarantee. Do not use it for untrusted workloads or high-impact production changes.

The known architectural gaps and planned controls are documented in docs/ROADMAP.md.

Supported versions

Version Security fixes
Latest 0.0.x Best effort
Older versions Not supported

This policy will become stricter before 1.0.0.

Reporting a vulnerability

Do not open a public issue for a suspected vulnerability.

Use GitHub's private vulnerability reporting for ta2jam/morfeus. Include:

  • affected version and platform;
  • minimal reproduction;
  • expected and observed security boundary;
  • impact and attacker prerequisites;
  • any suggested mitigation;
  • whether the report or fix may be publicly credited.

You should receive an acknowledgement within 72 hours. No bounty is currently offered. Disclosure timing will be coordinated after impact and remediation are understood.

Scope priorities

High-priority reports include:

  • worker access to control-plane state or secrets;
  • sandbox, path, or network-policy escape;
  • stale lease/fencing bypass producing duplicate effects;
  • false-success or evidence tampering;
  • cross-task or future cross-tenant data exposure;
  • installer path/symlink attacks;
  • release artifact or provenance compromise.

Local inference boundary

The interactive chat agent is advisory only. It cannot call workload tools, approve effects, or mark desired state as satisfied. Model text is untrusted and is not evidence.

Morfeus starts llama-server as a session child with these controls:

  • loopback-only bind and a random per-session API key file;
  • one inference slot and a 16K context cap;
  • text-only loading (--no-mmproj);
  • a minimal environment without API keys or proxy variables;
  • bounded HTTP response reads;
  • process-group termination when the Morfeus session exits;
  • immutable model revisions with pinned byte size and SHA-256 verification.

The llama.cpp binary and GGUF parser remain trusted local dependencies. Local model output can still be incorrect, adversarial, or prompt-injected. Do not use chat output as authorization, policy, acceptance evidence, or production change approval.

There aren't any published security advisories