# Security Policy ## Supported versions This project is pre-1.0. Security fixes land on `main` until versioned releases exist. ## Reporting a vulnerability Please do not open a public issue with exploit details. Contact the repository maintainers privately through the security advisory flow once the public GitHub repository exists. ## Security model - The frontend never receives `TELEGRAM_BOT_TOKEN`. - Telegram Mini App `initData` is validated server-side when `KANBAN_UI_AUTH_MODE=telegram`. - `TELEGRAM_ALLOWED_USER_IDS` can restrict access to specific Telegram users. - Backend mutations go through fixed Hermes Kanban CLI subcommands with `subprocess.run(argv, shell=False)`. - `.env` and local logs are ignored by git. ## Deployment notes Run behind HTTPS for Telegram Mini Apps, restrict CORS with `KANBAN_UI_ALLOWED_ORIGINS`, and run the service as a user that has only the Hermes permissions it needs.