Olymp is pre-1.0. Security fixes should target the current development branch until a version support policy is published.
Do not open public issues for vulnerabilities involving credentials, node control, bot lifecycle actions, logs, audit events, release artifacts, or network access. Use GitHub private vulnerability reporting when the repository is published.
- Olymp is a control plane for Zeus nodes, not a sandbox.
- The MVP API binds to
127.0.0.1:4321by default. - Every Olymp API endpoint except
GET /healthrequiresOLYMP_API_KEYthroughx-olymp-api-key. - Zeus nodes should stay loopback-only. Use local mode, SSH tunnels, mTLS, or a future node sidecar instead of exposing Zeus directly.
- Node registration is an SSRF boundary. Remote URLs require explicit opt-in and HTTPS.
- Logs, inspect payloads, audit events, and evidence bundles may contain sensitive operational data.
- Store Zeus keys in environment variables referenced by node records; do not put raw keys in SQLite, docs, examples, command output, or frontend bundles.
- Rotate any credential that was committed, printed in logs, captured in evidence, or shared outside the intended host.
- Use staging-only credentials on test hosts.
- Review evidence before sharing it.