21 lines
922 B
Markdown
21 lines
922 B
Markdown
# Security Policy
|
|
|
|
## Supported versions
|
|
|
|
This project is pre-1.0. Security fixes land on `main` until versioned releases exist.
|
|
|
|
## Reporting a vulnerability
|
|
|
|
Please do not open a public issue with exploit details. Contact the repository maintainers privately through the security advisory flow once the public GitHub repository exists.
|
|
|
|
## Security model
|
|
|
|
- The frontend never receives `TELEGRAM_BOT_TOKEN`.
|
|
- Telegram Mini App `initData` is validated server-side when `KANBAN_UI_AUTH_MODE=telegram`.
|
|
- `TELEGRAM_ALLOWED_USER_IDS` can restrict access to specific Telegram users.
|
|
- Backend mutations go through fixed Hermes Kanban CLI subcommands with `subprocess.run(argv, shell=False)`.
|
|
- `.env` and local logs are ignored by git.
|
|
|
|
## Deployment notes
|
|
|
|
Run behind HTTPS for Telegram Mini Apps, restrict CORS with `KANBAN_UI_ALLOWED_ORIGINS`, and run the service as a user that has only the Hermes permissions it needs.
|