hermes-kanban-miniapp/SECURITY.md
2026-07-09 17:19:33 +03:00

922 B

Security Policy

Supported versions

This project is pre-1.0. Security fixes land on main until versioned releases exist.

Reporting a vulnerability

Please do not open a public issue with exploit details. Contact the repository maintainers privately through the security advisory flow once the public GitHub repository exists.

Security model

  • The frontend never receives TELEGRAM_BOT_TOKEN.
  • Telegram Mini App initData is validated server-side when KANBAN_UI_AUTH_MODE=telegram.
  • TELEGRAM_ALLOWED_USER_IDS can restrict access to specific Telegram users.
  • Backend mutations go through fixed Hermes Kanban CLI subcommands with subprocess.run(argv, shell=False).
  • .env and local logs are ignored by git.

Deployment notes

Run behind HTTPS for Telegram Mini Apps, restrict CORS with KANBAN_UI_ALLOWED_ORIGINS, and run the service as a user that has only the Hermes permissions it needs.