Kitout runs on a user's local machine and can modify important files. Safety is a product requirement, not an add-on.
Do not store secrets in Kitout config.
Examples of secrets:
- API keys
- private SSH keys
- tokens
- passwords
.envvalues
Kitout may install or check secret-management tools, but it should not become one.
Shell commands are allowed only when explicitly listed in config.
Kitout must show shell commands during dry-run.
Kitout should require confirmation before running shell commands unless --yes is passed.
Kitout must not overwrite existing files by default.
Symlink replacement must be explicit.
Potential future backup behavior must be opt-in and well documented.
Report vulnerabilities by creating a GitHub issue.
GitHub channels:
- GitHub issues for
github.com/vwall/kitout - GitHub private vulnerability reporting for
github.com/vwall/kitout, when enabled
Please include:
- affected Kitout version or commit
- config/resource type involved
- steps to reproduce
- expected impact
- any suggested mitigation
The maintainer will acknowledge reports as soon as practical, triage the issue, and coordinate a fix before public disclosure when the report describes a real security impact.