Skip to content

Security: fastygo/platform

Security

SECURITY.md

Security Policy

FastyGo Platform treats workspace isolation, capability checks, schema review, and module boundaries as release gates.

Supported Scope

Security reports should focus on:

  • workspace or tenant data leakage;
  • capability bypasses;
  • unsafe remote module descriptors;
  • schema install or rollback corruption;
  • renderer output that breaks basic accessibility or escapes trust boundaries;
  • dependency boundary violations between Platform, modules, renderers, and apps.

Reporting

Until a public security mailbox is published, report issues privately to the maintainers of the repository. Do not open public issues for exploitable vulnerabilities.

Include:

  • affected package or app;
  • reproduction steps;
  • expected and actual behavior;
  • impact assessment;
  • suggested mitigation, if known.

Security Invariants

  • Platform must not import product modules.
  • Codex must remain independent from UI, storage, and renderer packages.
  • Additional workspaces must not bypass the root admin or workspace capability model.
  • Cross-workspace relations must use explicit Toolset policies.
  • Remote modules must declare health, readiness, schema, auth, and failure behavior.
  • Schema installs must produce receipts and support rollback records.

There aren't any published security advisories