| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously at CLDPM. If you discover a security vulnerability, please report it responsibly.
- Do not open a public GitHub issue for security vulnerabilities
- Email security concerns to: security@transilience.ai
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours of your report
- Initial Assessment: Within 5 business days
- Resolution Timeline: Depends on severity
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
When using CLDPM, follow these security guidelines:
CLDPM uses symlinks to share components. Be aware that:
- Symlinks can point to sensitive files if misconfigured
- Always verify symlink targets before trusting content
- Use
cldpm syncto regenerate symlinks from trusted sources
When using cldpm get --remote:
- Only fetch from trusted repositories
- Set
GITHUB_TOKENorGH_TOKENsecurely - Never commit tokens to version control
- Use environment variables or secure credential storage
# Good: Use environment variable
export GITHUB_TOKEN="your-token"
cldpm get project -r owner/repo
# Bad: Token in command history
cldpm get project -r owner/repo --token "your-token" # DON'T DO THISShared components (skills, agents, hooks, rules) are code that will be executed:
- Review all shared components before use
- Implement code review for shared component changes
- Use branch protection on your mono repo
- Audit component dependencies
Ensure proper file permissions:
# Recommended permissions
chmod 755 shared/ # Directories
chmod 644 shared/**/*.md # Markdown files
chmod 644 shared/**/*.json # Config files
chmod 755 shared/hooks/**/*.py # Executable hooksWhen using CLDPM with Git:
- Add
.envand credential files to.gitignore - Never commit sensitive data to shared components
- Use
.gitignorepatterns generated by CLDPM
| Area | Consideration | Mitigation |
|---|---|---|
| Symlinks | Can traverse directories | CLDPM validates symlink targets |
| Remote fetch | Network exposure | Use HTTPS, verify repos |
| Hooks | Execute arbitrary code | Review all hook code |
| Dependencies | Transitive trust | Audit dependency chains |
CLDPM includes these security features:
- Per-directory .gitignore: Only symlinks are ignored, not entire directories
- Path validation: Prevents directory traversal attacks
- No credential storage: Tokens must be provided via environment
We thank the following individuals for responsibly disclosing security issues:
No vulnerabilities have been reported yet.
Maintained by Transilience.ai