Please report security issues privately rather than opening a public issue:
- Use GitHub's private vulnerability reporting ("Report a vulnerability" under the repo's Security tab), or
- email the maintainer.
I'll acknowledge within a few days and aim to ship a fix promptly.
orchard is a local, single-user developer tool. It runs on your machine and shells out to git, gh, your browser, your editor, and your terminal emulator. It has no telemetry and no server component.
Relevant areas to consider when reporting:
- Argument / command injection via repository names, branch names, remote URLs, or pasted clone URLs reaching
git/open/editor/osascriptinvocations. - Token handling -
GITHUB_TOKEN/gh auth tokenmust never be logged, printed, or written to disk. - Path handling - clone destinations derived from remote repository names.
- The GitHub token is fetched only when needed and is never persisted by orchard.
- The Claude usage panel only reads local
~/.claudefiles. pullis fast-forward only and skips dirty repositories.