This project follows a rolling-release model: only the latest release on main
receives security fixes.
| Version | Supported |
|---|---|
latest (main) |
✅ |
| older tags | ❌ |
Please do not open a public issue for security problems.
Report privately via a GitHub Security Advisory. You can expect an acknowledgement within 72 hours and a status update within 7 days. Once a fix is available we will coordinate a disclosure timeline with you.
- The backend (
apps/api) is a modular monolith. Workspace isolation is enforced at the repository layer (every repository API takes a workspace id non-optionally) and covered by negative isolation tests — seeCLAUDE.mdand the ADRs. Report any path that reads or writes across workspaces without an explicit workspace id as a security issue. - AI features never mutate state on their own: LLM/ASR output is always a reviewable proposal with provenance (ADR-0005). Report any path where an AI provider's response reaches a timesheet, budget, export, or invoice without passing through the deterministic core.
- No client or feature talks to a payment SDK directly; feature gates ask the
billingmodule (entitlement API + credit ledger). Report any direct payment-SDK access outside a billing adapter. - Meeting capture requires stored, explicit opt-in (REQ-025). Report any capture path that can run without recorded consent.
- Never commit API keys, tokens, or personal data.
.envfiles are git-ignored.