Only the latest stable version receives security patches.

Never open a public issue for a vulnerability.

Contact privately:

• Email: contact@mathieu-piton.com
• Or private GitHub Security Advisory: https://github.com/mpiton/forgent/security/advisories/new

Include:

• Problem description
• Reproduction steps
• Estimated impact
• (Optional) suggested fix

Response within 72h. Coordinated disclosure after patch.

Forgent is a Claude Code CLI orchestrator; the main attack surface is:

1. Command injection via F-086 prompts: editable agent prompts could inject shell through {{var}} variables. Mitigation: strict sanitization in domain/security/tool_input_validator.rs + shell-quoting escape before PTY injection.
2. Path traversal: FS operations must stay under <project>/.claude/forgent/ or ~/.forgent/. Mitigation: domain/security/path_containment.rs (canonicalize + prefix check).
3. Malicious bash execution: Claude Code CLI may generate destructive commands. Mitigation: domain/security/bash_validator.rs (AST parser + denylist).
4. Secret leakage: GitHub OAuth tokens, sensitive file content. Mitigation: domain/security/secret_scanner.rs + tracing redaction layer.
5. MCP: handled entirely by Claude Code CLI. No MCP surface on Forgent side.

• No Claude OAuth on Forgent side: no Anthropic credential stored, no direct api.anthropic.com calls.
• GitHub OAuth only: token encrypted via OS keyring (macOS Keychain / Windows Credential Manager / Linux Secret Service).
• Strict webview CSP: default-src 'self'; connect-src 'self' tauri: https://api.github.com.
• Signed updater: ed25519, public key embedded, refused if signature invalid.
• Scoped Tauri capabilities: FS allowlist limited to ~/.forgent/** and **/.claude/forgent/**, HTTP allowlist limited to GitHub + code.claude.com.
• CI secrets-scan: rejects .env/.pem/.key/.p12/.pfx files in repo + greps known API key patterns.

• cargo deny check runs in CI (licenses + bans + RustSec advisories) → blocks build on known vulnerability, banned crate, or non-AGPL-compatible license. Uses the same RustSec advisory DB as cargo-audit and supersedes it.
• pnpm audit may be added manually (not in CI as oxlint does not cover dep security).

• Run claude doctor to verify Claude Code CLI auth regularly.
• Do not commit <project>/.claude/forgent/ if the project is private (.gitignore does not exclude it by default; user decides).
• Enable auto-update to receive security patches.