The project is pre-1.0; security fixes are applied to the latest released version. Older versions may not receive backports.
Email: team@tenets.dev (or team@manic.agency if unreachable)
Please include:
- Description of the issue
- Steps to reproduce / proof-of-concept
- Potential impact / affected components
- Your environment (OS, Python, tenets version)
We aim to acknowledge within 3 business days and provide a remediation ETA after triage.
Do not open public issues for exploitable vulnerabilities. Use the private email above. We will coordinate disclosure and credit (if desired) after a fix is released.
Tenets runs locally. Primary concerns:
- Arbitrary code execution via file parsing
- Directory traversal / path injection
- Insecure temporary file handling
- Leakage of private repository data beyond intended output
Out of scope:
- Issues requiring malicious local user privilege escalation
- Vulnerabilities in optional third-party dependencies (report upstream)
- Pin versions in production workflows
- Run latest patch release
- Review output before sharing externally
- Avoid running against untrusted repositories without isolation (use containers)
- Triage & reproduce
- Develop fix in private branch
- Add regression tests
- Coordinate release (patch version bump)
- Publish advisory in CHANGELOG / release notes