AlignTrue is designed with security and privacy as core principles: local-first by default, deterministic outputs, and minimal data retention.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please use GitHub's private vulnerability reporting feature:

1. Go to https://github.com/AlignTrue/aligntrue/security/advisories
2. Click "Report a vulnerability"
3. Fill out the form with details about the vulnerability

We will respond within 48 hours and work with you to understand and address the issue.

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting)
• Full paths of source file(s) related to the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

We release patches for security vulnerabilities as soon as possible. Only the latest minor version receives security updates.

• Offline-first core - Core flows are local-first; no required cloud dependencies.
• No telemetry collected - Telemetry is not emitted; any future telemetry would require explicit opt-in.
• Deterministic artifacts - Outputs include content hashes and avoid timestamps so results are diffable.
• Minimal logging - Output avoids printing secrets or raw PII.

• No secret printing - Output avoids secrets; artifacts contain only necessary metadata and hashes.
• Offline by default - Remote fetches occur only when explicitly configured and reuse local cache when present.
• Local MCP access - MCP exporters are scoped to the local workspace and avoid exposing arbitrary command execution.

• Pinned dependencies - Releases are locked via pnpm-lock.yaml; no floating ranges.
• Dependabot monitoring - Dependabot tracks manifest updates.
• Manual audits - Run pnpm audit --prod locally before releases (not currently automated in CI).
• Data-only artifacts - Packs/Aligns are treated as data; they are never executed.
• SBOM and checksums - SBOMs and release checksums are not published yet; verify releases via tags and repository hashes.

• Read-only operations - MCP capabilities are scoped to read-only access within the active workspace.
• No arbitrary execution - No arbitrary command execution is exposed through MCP.
• Minimal data exposure - Exporters return only data needed for scope and rule queries.

• Safe parsing - Reject anchors and custom executable types.
• Reject unsafe values - Reject NaN and Infinity in canonicalization and hash-relevant paths.
• Size limits - Enforce size limits on inputs to avoid memory pressure and abuse.

• Reproducible outputs - Artifacts aim for reproducible, deterministic content.
• Security changelog - Record security-related changes under Security in CHANGELOG.md.

• Core commands (init, check, sync, status, doctor, exporters, scopes, rules) run with network blocked in your environment
• Telemetry remains off (ALIGNTRUE_TELEMETRY unset) and tests run with ALIGNTRUE_NO_TELEMETRY=1
• Secrets do not appear in logs or exports
• MCP exporters remain scoped to local workspace access
• Lockfiles and exports remain deterministic (hashes stable across runs)
• pnpm audit --prod passes before publishing releases
• Release artifacts are verified via git tags and repository hashes (SBOM and checksums not yet published)

Security issues are reported via GitHub's private vulnerability reporting feature (see above).

Security advisories must include:

• Short-term mitigation steps
• Pointer to patch release as soon as available
• Affected versions and fixed versions
• Severity assessment

• Development Setup
• Development Commands

This file is auto-generated from the AlignTrue documentation site. To make changes, edit the source files in apps/docs/content/ and run pnpm generate:repo-files.