hermes-kanban-miniapp/SECURITY.md

22 lines
922 B
Markdown
Raw Permalink Normal View History

2026-07-09 17:19:33 +03:00
# Security Policy
## Supported versions
This project is pre-1.0. Security fixes land on `main` until versioned releases exist.
## Reporting a vulnerability
Please do not open a public issue with exploit details. Contact the repository maintainers privately through the security advisory flow once the public GitHub repository exists.
## Security model
- The frontend never receives `TELEGRAM_BOT_TOKEN`.
- Telegram Mini App `initData` is validated server-side when `KANBAN_UI_AUTH_MODE=telegram`.
- `TELEGRAM_ALLOWED_USER_IDS` can restrict access to specific Telegram users.
- Backend mutations go through fixed Hermes Kanban CLI subcommands with `subprocess.run(argv, shell=False)`.
- `.env` and local logs are ignored by git.
## Deployment notes
Run behind HTTPS for Telegram Mini Apps, restrict CORS with `KANBAN_UI_ALLOWED_ORIGINS`, and run the service as a user that has only the Hermes permissions it needs.