Files
light-heart-labs--dreamserver/SECURITY.md
T
wehub-resource-sync 9e8f1bbeed
Dashboard / frontend (push) Failing after 0s
Dashboard / api (push) Failing after 0s
Lint PowerShell / powershell-lint (ubuntu-latest) (push) Failing after 1s
Python Lint / Lint Python with Ruff (push) Failing after 1s
ShellCheck / Lint shell scripts (push) Failing after 1s
Matrix Smoke / linux-smoke (push) Failing after 1s
Matrix Smoke / distro: cachyos (push) Failing after 15s
Matrix Smoke / distro: linux-mint-21.3 (push) Failing after 15s
Matrix Smoke / distro: debian-12 (push) Failing after 5m21s
Matrix Smoke / distro: fedora-41 (push) Failing after 4m56s
Matrix Smoke / distro: ubuntu-24.04 (push) Failing after 2m13s
Matrix Smoke / distro: rocky-9 (push) Failing after 10m39s
Matrix Smoke / distro: manjaro (push) Failing after 12m11s
Matrix Smoke / distro: opensuse-tw (push) Failing after 11m53s
Matrix Smoke / distro: archlinux (push) Failing after 20m3s
Matrix Smoke / distro: ubuntu-22.04 (push) Failing after 13m49s
Validate .env Schema / tier-1-env-validation (push) Successful in 52s
Validate .env Schema / tier-2-env-validation (push) Successful in 44s
Validate .env Schema / tier-3-env-validation (push) Successful in 52s
Validate .env Schema / tier-4-env-validation (push) Successful in 51s
Validate Extensions Catalog / Check catalog is up-to-date (push) Failing after 9m47s
Secret Scan / Scan for secrets (push) Failing after 21m4s
Validate Docker Compose / Validate Docker Compose files (push) Has been cancelled
Python Type Check / Type check with mypy (push) Has been cancelled
Validate .env Schema / tier-0-env-validation (push) Has been cancelled
Test Linux / integration-smoke (push) Has been cancelled
Lint PowerShell / powershell-lint (windows-latest) (push) Has been cancelled
Matrix Smoke / macos-smoke (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:31:33 +08:00

1.7 KiB

Security Policy

ODS is local infrastructure that can manage Docker, models, secrets, network exposure, and host-side installer state. Please report security issues privately before opening a public issue.

Report A Vulnerability

Use GitHub's private vulnerability reporting for this repository when available. If you cannot use private reporting, open a minimal public issue that asks for a maintainer contact path without including exploit details, secrets, logs, or proof-of-concept payloads.

Security Documentation

  • Security guide covers operator hardening, generated secrets, network binding, and service exposure guidance.
  • Security audit receipts track historical findings, remediation status, and regression evidence.
  • Installer trust explains inspect-first install paths, release-ref pinning, and current provenance limits.
  • AI workflow guardrails documents how AI-assisted automation is constrained by human review, protected paths, and validation.

Supported Code

Use tagged releases for stable installs and downstream forks. The main branch moves quickly and is validated continuously, but it is still the development line. For release confidence, see Release Validation and the Validation Matrix.

Public Exposure

ODS defaults to localhost-bound services. Treat LAN exposure, reverse proxy changes, OAuth credentials, owner-card access, and extension installation as high-risk surfaces. Do not expose a default install directly to the public internet without an additional security review and deployment boundary.