138 lines
6.3 KiB
Markdown
138 lines
6.3 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
Reasonix security fixes are prioritized for the currently developed Go rewrite
|
|
and the current 1.x release line.
|
|
|
|
| Version or branch | Security support |
|
|
| --- | --- |
|
|
| `main-v2` / 1.x releases | Supported |
|
|
| `v1` / 0.x legacy branch | Critical fixes only, where practical |
|
|
| Older releases, forks, or modified builds | Not covered unless the issue is reproducible upstream |
|
|
|
|
If you are unsure whether a version is affected, report against the newest
|
|
released 1.x version and include the exact version or commit you tested.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Please report security issues privately. Do not open a public issue with exploit
|
|
details, secrets, crash dumps, or proof-of-concept payloads.
|
|
|
|
Preferred reporting path:
|
|
|
|
1. Use GitHub private vulnerability reporting for this repository, if available.
|
|
2. If private reporting is not available to you, open a minimal public issue
|
|
asking for a private maintainer contact path. Do not include exploit details
|
|
in that issue.
|
|
|
|
Please include:
|
|
|
|
- Affected Reasonix version, commit, operating system, and installation method.
|
|
- The feature or surface involved, such as CLI, desktop app, HTTP `serve`, bot
|
|
gateway, MCP plugin, built-in tool, updater, or configuration loading.
|
|
- Clear reproduction steps using dummy credentials and non-sensitive files.
|
|
- The expected impact, such as secret disclosure, arbitrary file access,
|
|
command execution, sandbox escape, authentication bypass, or supply-chain risk.
|
|
- Any relevant logs with API keys, tokens, local paths, and personal data
|
|
redacted.
|
|
|
|
Do not send real provider API keys, bot credentials, OAuth tokens, private
|
|
workspace files, or third-party user data.
|
|
|
|
## Security Boundaries
|
|
|
|
Reasonix is a local coding agent. Many features intentionally operate on the
|
|
user's local machine and workspace, including file reads, file writes, shell
|
|
commands, MCP plugins, language servers, bot sessions, and model-provider
|
|
requests. A finding is security-relevant when it crosses a supported boundary or
|
|
bypasses an explicit guard.
|
|
|
|
Supported boundaries include:
|
|
|
|
- Workspace confinement for file operations that are documented or implemented
|
|
as workspace-scoped.
|
|
- Permission checks for tool calls, shell commands, file writes, and approvals.
|
|
- Sandbox behavior for built-in shell execution where the platform supports it.
|
|
- Secret handling for provider keys, bot credentials, OAuth tokens, plugin
|
|
headers, and credential-store fallback files.
|
|
- HTTP `serve` protections for the unauthenticated local server, including
|
|
localhost binding assumptions, JSON-only state-changing requests, and CORS
|
|
restrictions.
|
|
- Desktop and bot session isolation, including per-workspace session metadata
|
|
and configured bot allowlists.
|
|
- Updater, install, and release verification paths.
|
|
|
|
The following are normally treated as trusted local/operator-controlled inputs
|
|
unless another bug lets an untrusted actor supply them:
|
|
|
|
- CLI arguments and text typed directly by the local user.
|
|
- Project configuration files intentionally loaded from the current workspace.
|
|
- Explicit `@path` references supplied by the local user to attach local files.
|
|
- MCP servers, language servers, hooks, and slash commands installed or enabled
|
|
by the local user.
|
|
- Provider base URLs and model names configured by the local user.
|
|
|
|
The following can be security issues when reachable by an untrusted actor or
|
|
when they bypass the intended boundary:
|
|
|
|
- Reading or writing files outside the configured workspace without explicit
|
|
local-user intent.
|
|
- Following symlinks or path traversal to escape workspace confinement.
|
|
- Running shell commands or external tools without the required permission gate.
|
|
- Leaking credentials, environment variables, prompt history, local files, or bot
|
|
messages to logs, model providers, MCP servers, crash reports, or telemetry.
|
|
- Allowing a website to drive the local HTTP server through CSRF, CORS, or
|
|
content-type bypasses.
|
|
- Letting a bot user outside the configured allowlist submit prompts, approve
|
|
tools, or access a project workspace.
|
|
- Trusting unverified update artifacts, plugin definitions, or downloaded
|
|
binaries.
|
|
|
|
## `@` File References
|
|
|
|
Reasonix supports `@path` references so users can include local files and images
|
|
in a prompt. This is intentional local functionality, but implementations must
|
|
preserve these invariants:
|
|
|
|
- In workspace-scoped sessions, relative and absolute paths must resolve under
|
|
the active workspace root before file content is read or attached.
|
|
- Path traversal such as `..` must not escape the workspace root.
|
|
- Symlinks must not be usable to bypass the intended workspace boundary.
|
|
- Unscoped local CLI compatibility must not be exposed to remote, bot, or
|
|
browser-controlled inputs unless an equivalent workspace boundary is applied.
|
|
- File content should be size-limited and binary content should not be dumped as
|
|
prompt text.
|
|
|
|
Static analysis alerts about path expressions should be triaged against these
|
|
rules: user-controlled path data is expected, but the access must either stay
|
|
inside the configured workspace or be clearly limited to trusted local CLI use.
|
|
|
|
## Out of Scope
|
|
|
|
The following reports are usually out of scope unless they demonstrate a bypass
|
|
of one of the boundaries above:
|
|
|
|
- A local user intentionally asks Reasonix to read, edit, or send their own
|
|
files to a configured model provider.
|
|
- A local user installs or enables a malicious MCP server, hook, slash command,
|
|
language server, or shell command and then grants it permission.
|
|
- A configured model provider, proxy, or MCP server receives data the user
|
|
intentionally sent to it.
|
|
- Denial-of-service issues that only affect the local user's own session and do
|
|
not corrupt files, leak secrets, or bypass permissions.
|
|
- Issues requiring administrator/root access on the user's machine before
|
|
interacting with Reasonix.
|
|
- Vulnerabilities in third-party services, models, proxies, or plugins that are
|
|
not caused by Reasonix behavior.
|
|
|
|
## Coordinated Disclosure
|
|
|
|
This is a community-maintained project. Maintainers will make a best-effort
|
|
assessment, ask follow-up questions when needed, and coordinate fixes before
|
|
public disclosure for confirmed vulnerabilities.
|
|
|
|
Please give maintainers reasonable time to investigate and release a fix before
|
|
publishing exploit details. If you plan to disclose on a timeline, include that
|
|
timeline in your initial report.
|