Please report security vulnerabilities responsibly.

Do not open a public issue for exploitable vulnerabilities.

Preferred path:

1. Open a private GitHub Security Advisory:
   • https://github.com/DEVtheOPS/quincode/security/advisories/new
2. If that is unavailable, contact maintainers directly and include SECURITY in the subject.

Include the following details:

• Description of the issue
• Impact and potential attacker outcomes
• Reproduction steps or proof of concept
• Affected versions/commit ranges
• Suggested remediation (if available)
• Environment details (OS, shell, provider mode, config context)

• Initial acknowledgment: within 72 hours
• Triage/status update: within 7 days
• Fix timeline by severity:
  • Critical: 7-14 days
  • High: 14-30 days
  • Medium/Low: best effort, usually 30-90 days

Security fixes are provided for:

This project executes shell commands through an agent tool. High-priority reports include:

• Sandbox/policy bypasses for blocked commands
• Approval bypasses (never, on-request, always behavior defects)
• Prompt-injection paths that cause unsafe tool execution
• Secret exposure (API keys, local config leakage)
• Path/workspace boundary escapes

1. Report received and acknowledged
2. Maintainers validate and assess severity
3. Fix is prepared and tested
4. Coordinated release and advisory publication

• Avoid committing secrets (API keys, local endpoint credentials)
• Keep .quincode/config.toml local
• Treat tool execution and command validation changes as security-sensitive
• Add tests for policy and approval behavior when touching src/agent.rs or src/tools/shell.rs