If you discover a security vulnerability in ChatCLI, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

1. Email: Send details to the maintainer via the email listed in the GitHub profile.
2. GitHub Security Advisories: Use GitHub's private vulnerability reporting to submit a confidential report.

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 5 business days
• Fix timeline: Depends on severity
  • Critical: Patch within 7 days
  • High: Patch within 14 days
  • Medium: Next release cycle
  • Low: Best effort

ChatCLI implements defense-in-depth security across all components:

• Authentication: JWT with RBAC roles, OAuth PKCE, constant-time token comparison
• Encryption: AES-256-GCM at rest, TLS 1.3 in transit
• Server: SSRF prevention, per-client rate limiting, field validation, audit logging
• Agent: Command allowlist (150+ approved commands), read path blocking, output sanitization
• Plugins: Ed25519 signature verification, quarantine system
• Operator: Fail-closed auth, resource allowlist, log scrubbing, RBAC least-privilege
• CI/CD: govulncheck, gosec, Dependabot, Cosign image signing

Every pull request runs:

• govulncheck ./... — Go vulnerability database check
• gosec ./... — Static security analysis
• Dependency review for known CVEs

Full security documentation: chatcli.edilsonfreitas.com