This policy covers the CEG engine (engine/), chassis (chassis/), domain specs (domains/), and all CI/CD infrastructure in this repository.
| Version | Supported |
|---|---|
main (latest) |
✅ Active |
| Tagged releases | ✅ Per tag |
| Older feature branches | ❌ No |
Do NOT open a public GitHub issue for security vulnerabilities.
Report privately via GitHub's Security Advisories or email the maintainer directly.
Include:
- Description of the vulnerability and affected component
- Reproduction steps or proof-of-concept
- Potential impact assessment
- Suggested remediation (optional)
Response SLA: Acknowledgement within 48 hours. Patch or mitigation within 14 days for critical issues.
- All Cypher label interpolation MUST use
sanitize_label()— raw label injection is a critical vulnerability - All Neo4j queries MUST route through
engine/graph/driver.py— raw session access bypasses circuit breakers and audit logging - PII values MUST NOT appear in logs — structlog filters are enforced by chassis
- Domain specs are untrusted input — validate all fields before loading
- KGE embeddings MUST NOT be shared cross-tenant
- Never commit
.env, API keys, or credentials —.gitleaks.tomlscans every commit - Use
.env.templatefor documenting required vars; populate via environment or secrets manager (AWS Secrets Manager / Hetzner env injection)
- All AI-generated code that touches
engine/,contracts/, ordomains/requires human review before merge CODEOWNERSenforces mandatory review on governance files (CLAUDE.md,AGENTS.md,.cursorrules)
- Dependabot is configured for pip and GitHub Actions (
.github/dependabot.yml) - Run
make auditto check for known CVEs in current dependencies - Lock file (
poetry.lock) must be committed and kept current