docs: add SECURITY.md (disclosure policy + config.json threat model) (#72)#82
Merged
Conversation
…72) Release-blocker for 1.0 (#68). Adds a vulnerability-disclosure policy (GitHub private advisory / security@altinity.com, latest-release support window) and formalizes the threat model the README only described prose-style: - config.json is served to browsers → treat as public; prefer a PKCE public client (the supported install.sh renders a secret-free config by construction); if a client_secret is unavoidable, lock the redirect URI to exactly https://<host>/sql (mirrors CLAUDE.md hard rule 3 + README). - Token handling: id/access/refresh + PKCE state/verifier live in sessionStorage (tab-lifetime), never localStorage/cookies. - CSP baseline: default-src 'none' with connect-src bounding exfiltration; ship deploy/http_handlers.xml's headers. - Operator responsibilities (ClickHouse RBAC, IdP config, TLS) called out as out of scope for the client. Also links SECURITY.md from the README "Security headers" section and notes it in the CHANGELOG. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01PgV4UResR7braUkAq7VaCr
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #72. Release-blocker for #68 (Roadmap to 1.0.0).
Adds
SECURITY.md— the last governance file 1.0's Definition of Done calls for — covering:security@altinity.com; latest-release support window; no public issues for vulns.config.jsonthreat model: it's served to browsers, so treat it as public. Prefer a PKCE public client (the supporteddeploy/install.shrenders a secret-free config by construction); if aclient_secretis unavoidable, lock the redirect URI to exactlyhttps://<host>/sql. MirrorsCLAUDE.mdhard rule 3 + the README "Configuring OAuth" section.state/verifierlive insessionStorage(tab-lifetime), neverlocalStorage/cookies.default-src 'none'withconnect-srcbounding exfiltration; operators must shipdeploy/http_handlers.xml's headers.Also links
SECURITY.mdfrom the README and notes it in the CHANGELOG.On the optional deploy-time secret warning (#72)
deploy/install.shhas noclient_secretinput — it never renders one — so a warning there would be a no-op. SECURITY.md instead documents this as a strength (the supported path is secret-free) and points the redirect-lock requirement at the hand-authored configs where a secret can actually appear. No code change made.Note
Used
security@altinity.comas the disclosure contact — swap it if Altinity prefers a different channel.🤖 Generated with Claude Code