Security

SECURITY.md

Security Policy

Supported Scope

Security reports are accepted for:

ai-server.js
insights/
dev-sandbox-mcp/

opencode-mcp/ is currently out of migration scope and may have separate processes.

Reporting a Vulnerability

Please report vulnerabilities privately to the maintainers. Do not open public issues for active vulnerabilities.

Include:

Affected component and version/commit
Reproduction steps
Impact assessment
Suggested mitigation (if available)

Secret Handling

Never commit real API keys or tokens.
Use *.env.example/templates for documentation.
Sanitize logs and generated reports before sharing.

There aren’t any published security advisories