922 B
922 B
Security Policy
Supported versions
This project is pre-1.0. Security fixes land on main until versioned releases exist.
Reporting a vulnerability
Please do not open a public issue with exploit details. Contact the repository maintainers privately through the security advisory flow once the public GitHub repository exists.
Security model
- The frontend never receives
TELEGRAM_BOT_TOKEN. - Telegram Mini App
initDatais validated server-side whenKANBAN_UI_AUTH_MODE=telegram. TELEGRAM_ALLOWED_USER_IDScan restrict access to specific Telegram users.- Backend mutations go through fixed Hermes Kanban CLI subcommands with
subprocess.run(argv, shell=False). .envand local logs are ignored by git.
Deployment notes
Run behind HTTPS for Telegram Mini Apps, restrict CORS with KANBAN_UI_ALLOWED_ORIGINS, and run the service as a user that has only the Hermes permissions it needs.