| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| < 2.0 | ❌ |
If you discover a security vulnerability in Archii, please report it responsibly.
Open a Security Advisory on GitHub:
- Go to Security Advisories
- Select "Report a vulnerability"
- Describe the issue with enough detail to reproduce it
- Include affected components, attack vectors, and potential impact
Email the maintainers directly at security@yecos.co (if available) with:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Suggested fix (optional)
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 7 business days
- We will keep you informed of progress toward a fix
- Credit will be given in the release notes (unless anonymity is requested)
Archii implements multiple layers of security:
- Firebase Auth with email/password, Google OAuth, and Microsoft SSO
- Multi-tenant isolation: all Firestore queries enforce tenant-scoped access
- Role-based access control: Super Admin and Miembro roles
- SSO/SAML support via
/api/ssoendpoint - SCIM provisioning via
/api/scimendpoint
- AES-256-GCM encryption for sensitive tokens stored in Firestore
- Rate limiting on all public endpoints (sliding window per user/tenant)
- Tenant verification on every API route via
verifyTenantMembership() - Input validation with parameterized Firestore queries (no string interpolation)
- Content Security Policy configured for Firebase, Google, and Microsoft auth flows
- API key authentication for the public REST API (
/api/v1/) - HMAC-SHA256 webhook signatures to verify webhook authenticity
- CORS restrictions on API endpoints
- No secrets in client-side code — all sensitive operations are server-side
- Firestore Security Rules enforce tenant isolation at the database level
- Vercel deployment with automatic HTTPS
- Dependency auditing via
npm auditin CI pipeline - Secret scanning in CI to prevent credential leaks
When contributing to Archii, follow these security guidelines:
- Never commit secrets — use
.env.localfor local development - Always verify tenant membership — use
verifyTenantMembership()from@/lib/tenant-utils - Encrypt sensitive data — use
encryptToken()/decryptToken()from@/lib/token-encryptionfor tokens - Apply rate limiting — use
checkRateLimit()from@/lib/rate-limiteron public endpoints - Use parameterized queries — never concatenate user input into Firestore queries
- Validate inputs — check types, ranges, and allowed values before processing
- Don't expose internal errors — return generic error messages to clients
See CONTRIBUTING.md for full contribution guidelines.