This policy covers all shell scripts, Python modules, and configuration files in this repository. Since scripts interact with local AI models (llama.cpp/llama-cli), file systems, and network downloads, security is a priority.
| Branch | Supported |
|---|---|
| main | ✅ |
| develop | ✅ |
| others | ❌ |
Do NOT open a public issue for security vulnerabilities.
- Email: gsilvadacosta0@gmail.com
- Subject:
[SECURITY] <module-name> — brief description - Include: affected file(s), steps to reproduce, potential impact
- Response time: within 72 hours for acknowledgment, patch within 14 days for critical issues
- Input sanitization: All user-provided paths are validated before use in shell commands or code generation (see
lib/bash-common.sh:sanitize_path) - No privilege escalation: Scripts never execute
sudoautomatically; missing dependencies produce instructions for the user - Download integrity: Model downloads are verified with SHA256 checksums
- Portable shebangs: All scripts use
#!/usr/bin/env bashfor cross-platform compatibility - Temporary files: Created with
mktempand cleaned up viatrap cleanup EXIT - No secrets in code: API keys, tokens, and credentials must never be committed
- Scripts generate and compile C code at runtime (
RAM-IA.sh). User input is passed as argv, never embedded in source - llama-cli prompts are written to temporary files, not passed as shell arguments, to avoid injection
- Log files may contain AI model outputs; treat them as potentially sensitive data