FastyGo Platform treats workspace isolation, capability checks, schema review, and module boundaries as release gates.
Security reports should focus on:
- workspace or tenant data leakage;
- capability bypasses;
- unsafe remote module descriptors;
- schema install or rollback corruption;
- renderer output that breaks basic accessibility or escapes trust boundaries;
- dependency boundary violations between Platform, modules, renderers, and apps.
Until a public security mailbox is published, report issues privately to the maintainers of the repository. Do not open public issues for exploitable vulnerabilities.
Include:
- affected package or app;
- reproduction steps;
- expected and actual behavior;
- impact assessment;
- suggested mitigation, if known.
- Platform must not import product modules.
- Codex must remain independent from UI, storage, and renderer packages.
- Additional workspaces must not bypass the root admin or workspace capability model.
- Cross-workspace relations must use explicit Toolset policies.
- Remote modules must declare health, readiness, schema, auth, and failure behavior.
- Schema installs must produce receipts and support rollback records.