Security fixes are provided for the latest release on main.

Please do not report security vulnerabilities in public issues.

Preferred channel:

• Use GitHub Security Advisories ("Report a vulnerability") for this repository.

If that option is unavailable to you:

• Contact the maintainer directly on GitHub: https://github.com/lourencomaciel

Include:

• A clear description of the issue
• Reproduction steps or a proof of concept
• Impact assessment (what data/systems are affected)
• Suggested remediation (if known)

• Initial acknowledgement: within 3 business days
• Triage/update: within 7 business days
• Fix timeline: depends on severity and release complexity

We will coordinate disclosure timing with reporters when possible.

Current controls:

1. Command execution uses subprocess.run(command_argv, shell=False).
2. Command failures are persisted as structured error metadata.
3. Dedup identity uses hash keys, not raw shell strings.

Operational guidance:

1. Treat sift-gateway run as trusted-local execution.
2. Restrict who can invoke capture in shared environments.

Current controls:

1. AST guard enforces import/root restrictions.
2. Runtime executes in a subprocess with timeout and memory constraints.
3. Import allowlist is explicit and configurable.
4. There is currently no supported runtime flag to disable query_kind="code" globally.

Operational guidance:

1. Restrict who can invoke the artifact(action="query", query_kind="code") surface.
2. For untrusted model-authored code, run Sift inside a container boundary.
3. Keep optional code dependencies minimal and controlled.

Code-query isolation is process-level, not VM-level. Treat it as a guarded execution path, not a hardened multi-tenant sandbox.