Please do not open a public GitHub issue for security vulnerabilities.

Report security issues by emailing security@bytestrix.com with:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix (optional)

You will receive an acknowledgement within 48 hours and a full response within 7 days. We will coordinate a fix and disclosure timeline with you.

The following are in scope:

• Authentication bypass in the relay server
• Arbitrary command execution via the agent API
• Sensitive data leakage (secrets not redacted before leaving the VM)
• WebSocket message injection or spoofing

The following are out of scope:

• Attacks that require physical access to the VM
• Social engineering
• Vulnerabilities in third-party dependencies (report those upstream)

InfraCanvas (OSS) runs as a single binary on each machine. The dashboard, relay, and agent all live in the same process. The two surfaces that need protection:

• Exposed URL — by default the binary binds 127.0.0.1:7777 and a bundled cloudflared opens an outbound-only Cloudflare quick-tunnel that publishes a random https://*.trycloudflare.com URL. Traffic is HTTPS-terminated at Cloudflare's edge; no inbound firewall rule is required. The URL is unguessable but not secret — pair it with the auth token below. --no-tunnel binds 0.0.0.0:7777 directly (you allow the port in your cloud security group). --private binds 127.0.0.1 and you reach it through SSH tunnel.
• UI auth token — every install generates a random 24-character token (saved in /etc/infracanvas/config.env). Required as a query param on first load, then stored in an HTTP-only cookie. WebSocket calls require it too.

Once authenticated, the dashboard can:

• See the full topology of the host
• Read container logs
• Open a shell inside any container or on the host
• Run Docker / Kubernetes actions (restart, scale, update image)

Treat the URL+token like an SSH key for the box.

• Secret redaction — env vars whose names contain SECRET, TOKEN, KEY, PASSWORD, CREDENTIAL, AUTH, PASSWD are replaced with [REDACTED] before they leave the discovery layer.
• No persistent storage — graphs are recomputed every refresh; the relay does not persist data between restarts.
• Pair codes — generated by the agent for legacy shared-relay deployments. In the default local serve-mode the browser auto-pairs from loopback and pair codes are unused.