If you find a security issue in TraceCC, please report it privately rather than opening a public issue.
Email the maintainer at the address associated with the git commits. Include:
- A description of the issue
- Steps to reproduce
- The impact as you understand it
You should receive a response within 72 hours. If the issue is confirmed, a fix will be prioritized and a patched release issued as soon as practical.
TraceCC processes agent trace logs and compiles them into SQLite bundles. Security concerns most likely involve:
- Secret leakage: Traces may contain API keys, tokens, or credentials. The
--redact defaultflag exists for this reason. If you find a case where redaction misses sensitive data, that's a reportable issue. - SQL injection via trace content: Compiled bundles use parameterized queries, but if you find a way to inject SQL through crafted JSONL input, report it.
- Path traversal: Trace discovery walks directories. If you find a way to make it read or write outside expected paths, report it.
- Bugs that require the attacker to already have write access to the bundle file (the bundle is a local SQLite database, not a networked service).
- Denial of service via large inputs (TraceCC is a local CLI tool, not a server).
Only the latest release is actively maintained. If you're running an older version, upgrade before reporting.