SP-DevControl handles project governance for AI-assisted development, including policy enforcement, file monitoring, and compliance reporting. Security is a core design requirement.
| Version | Supported |
|---|---|
| 2.0.x | ✅ Active development |
| < 2.0 | ❌ Not supported |
We take security issues seriously. Please report vulnerabilities via private channel only:
- Email: security@solucionespro.com
- GitHub: Use the private vulnerability reporting feature at: https://github.com/SolucionesPro/sp-devcontrol/security/advisories/new
Do not report security issues via public GitHub issues or discussions.
- Description of the vulnerability
- Steps to reproduce (concept code, not exploit)
- Impact assessment
- Suggested fix (optional)
- 48 hours: Acknowledgment of receipt
- 7 days: Initial assessment and severity classification
- 30 days: Fix released for critical/high severity issues
- Token-based auth for API (
/api/*) and MCP endpoints - Tokens stored in
~/.devcontrol/api-token(chmod 600, outside project root) - No hardcoded credentials
- All file paths resolved and normalized against project root
- Path traversal attacks (
../../) detected and blocked - Protected paths enforced at policy engine level
- Exact-match command evaluation (no substring bypass)
- 3-tier decision: ALLOW / REVIEW / BLOCK
- Session-level approvals can override but are revocable
- No telemetry, no external calls, no data leaving the machine
- Storage files in
.devcontrol/with.gitignoreexclusion - Atomic writes prevent corruption
policy.ts— Command and path risk evaluationapi.ts— Token authentication middlewaredaemon.ts— Token generation and validationtoken_guard.ts— Token budget estimationvalidator.ts— Control validation execution
We follow coordinated disclosure: 90-day window between fix release and full public disclosure.