Skip to content

Security: ASH19900601/KeyBroker

Security

SECURITY.md

Security policy

Reporting

Do not open a public issue containing a real credential, encrypted Vault file, DPAPI-wrapped key, or exploit proof that exposes user data. Until a private disclosure address is established, reproduce issues only with synthetic secrets and mark the report as security-sensitive.

Supported version

Only the latest commit on the main branch is supported during the MVP phase.

Release gate

The project must not be described as production-ready until the remaining gates are complete:

  • an independent cryptographic and architecture review;
  • signed release artifacts and byte-for-byte reproducibility verified on an independent clean builder;
  • coverage-guided sanitizer fuzzing for Vault, URL, header, and MCP inputs on a supported builder;
  • human desktop accessibility/interaction sign-off and disposable-account real-service tests.

Version 1.0.0-rc.1 implements the single-writer daemon, authenticated local-only IPC, locked/zeroized native buffers, locked dependency graph, automated CycloneDX SBOM, deterministic-build inputs, 200,000-case mutation fuzz regression tests, encrypted backup verification, recovery and incident-response runbooks, and certificate-driven signing automation. These controls have not yet received an independent audit.

There aren't any published security advisories