Part of #68 (Roadmap to 1.0.0) — release-blocker.
Problem
There is no SECURITY.md (no vulnerability-disclosure contact/policy) — standard for a 1.0, and more so for an Altinity-branded, security-sensitive tool. Separately, the client_secret-in-config.json situation is documented in the README but not formalized as a threat model: config.json is served to browsers, and the antalya deploy ships a Google client_secret "public-by-design".
Ask
- Add
SECURITY.md with a vulnerability-disclosure contact and supported-versions policy.
- Document the threat model for
config.json: it is public; prefer a PKCE public client (no secret); if an IdP requires a client_secret, the redirect URI must be locked and the file treated as public (mirror CLAUDE.md hard rule 3 + README "Configuring OAuth").
- Consider a deploy-time warning when a
client_secret is present in config.json.
- Note token storage (
sessionStorage, tab-lifetime) and the CSP posture (default-src 'none', tight connect-src) as the baseline.
Acceptance
Part of #68 (Roadmap to 1.0.0) — release-blocker.
Problem
There is no
SECURITY.md(no vulnerability-disclosure contact/policy) — standard for a 1.0, and more so for an Altinity-branded, security-sensitive tool. Separately, theclient_secret-in-config.jsonsituation is documented in the README but not formalized as a threat model:config.jsonis served to browsers, and the antalya deploy ships a Googleclient_secret"public-by-design".Ask
SECURITY.mdwith a vulnerability-disclosure contact and supported-versions policy.config.json: it is public; prefer a PKCE public client (no secret); if an IdP requires aclient_secret, the redirect URI must be locked and the file treated as public (mirror CLAUDE.md hard rule 3 + README "Configuring OAuth").client_secretis present inconfig.json.sessionStorage, tab-lifetime) and the CSP posture (default-src 'none', tightconnect-src) as the baseline.Acceptance
SECURITY.mdpresent: disclosure contact + the config.json/secret threat model + redirect-lock requirement.