teaminal is pre-1.0; only the latest tagged release receives security fixes. For the current release see CHANGELOG.md.
Please do not open a public GitHub issue for suspected vulnerabilities.
Use GitHub's private vulnerability reporting for this repo:
Include:
- A description of the issue and the affected component (auth wrapper, Graph client, UI, etc.)
- Steps to reproduce, ideally with a minimal repro
- The teaminal version (
teaminal --version) and host OS
You can expect an acknowledgement within a few business days. Coordinated disclosure timelines will be agreed per-report. There is no embargo SLA - this is a personal project with no deployed service to embargo.
teaminal is a thin terminal client that delegates all authentication
to owa-piggy - a separate
subprocess that holds Microsoft 365 refresh tokens on disk. Threats are
shaped by that boundary:
| Boundary | Owner | Notes |
|---|---|---|
| Refresh token storage | owa-piggy |
teaminal never reads or writes the AAD refresh token; it only consumes the short-lived access tokens that owa-piggy token --audience graph prints to stdout. |
| Access token in memory | teaminal | Cached in-process via src/auth/owaPiggy.ts; never logged, never sent anywhere except https://graph.microsoft.com. |
| Subprocess invocation | teaminal | Always invoked without --json. The --json mode would emit the rotated refresh token from each FOCI exchange (see Known Pitfalls). |
| HTTP egress | teaminal | All requests go through src/graph/client.ts, which is the single injection point for Authorization headers. No other module talks to Graph. |
| Notifications | teaminal | macOS notifications are dispatched via osascript with explicit AppleScript escaping (no shell interpolation, no string concatenation). See src/notify/notify.ts. |
Authorizationheaders are never logged, even underTEAMINAL_DEBUG=1.- Tests use synthetic JWTs and HTTP fixtures only - no real tokens or
account IDs are checked into the repo (see
AGENTS.mdtesting rules). verbatimModuleSyntaxis on so accidental top-level side effects from type-only imports are caught at compile time.- The single-binary build (
bun build --compile) bundles the runtime module graph at compile time; runtime resolution is constrained.
- Hardening of
owa-piggyitself - report those upstream. - Hardening of the user's terminal emulator, shell history, or
~/.config/teaminal/configfile permissions. - Microsoft Graph rate-limit or abuse policies - teaminal honors
Retry-Afterand 429 backoff, but tenant-level enforcement is upstream.