Skip to content

Security: raintree-technology/policystrata

SECURITY.md

Security Policy

PolicyStrata is a deterministic policy-regression testing artifact. It is not an authorization boundary or a replacement for application/database access controls.

Reporting

Report suspected vulnerabilities privately to support@raintree.technology.

Please include the affected version or commit, reproduction steps, and expected impact. Do not send live customer data, production credentials, or proprietary schemas; use a synthetic reproduction when possible.

Scope

Security-relevant issues include:

  • imported SQL escaping the read-only allowlist;
  • scanner behavior that mutates a configured database;
  • credential or secret disclosure in generated artifacts;
  • installation or dependency issues that affect normal CLI use.

Detection gaps against unknown production incidents are methodology limitations, not security vulnerabilities in the artifact.

Repository Guards

The test suite includes deterministic high-confidence secret-pattern scanning over repository text files and fixture checks that require fixture email addresses to use reserved .example domains. Run them with:

uv run pytest tests/test_security_posture.py

This guard is intentionally conservative and should be kept alongside GitHub dependency review, CodeQL, and Socket alerts.

There aren't any published security advisories