We take the security of DevAIFlow seriously. If you discover a security vulnerability, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities. Public disclosure before a fix is available puts all users at risk.

Report security vulnerabilities through one of these channels:

• GitHub Security Advisories: Use the GitHub Security Advisory feature (preferred)
• Email: Send details to the project maintainers (see contact information below)

When reporting a vulnerability, please include:

• Description: Clear description of the vulnerability
• Impact: What an attacker could do with this vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Affected Versions: Which versions of DevAIFlow are affected
• Suggested Fix: If you have ideas for fixing the issue (optional)
• Your Contact Information: How we can reach you for follow-up questions

Title: Potential command injection in session name handling

Description:
User-provided session names are passed directly to shell commands without
proper sanitization, allowing command injection.

Impact:
An attacker could execute arbitrary commands on the user's system by
creating a session with a malicious name.

Steps to Reproduce:
1. Run: daf new --name "test; rm -rf /tmp/test"
2. Observe that the command after semicolon is executed

Affected Versions:
- v0.1.0 and earlier

Suggested Fix:
Use shlex.quote() to properly escape session names before passing to shell.

We will:

1. Acknowledge receipt of your report within 48 hours
2. Investigate and confirm the vulnerability
3. Develop a fix in a private branch
4. Notify you when a fix is ready for testing
5. Release a security update with credit to the reporter (if desired)
6. Publish a security advisory after the fix is released

Typical timeline: 2-4 weeks from report to public disclosure (depending on severity and complexity).

When using DevAIFlow:

• Never commit JIRA API tokens to git repositories
• Use environment variables for sensitive configuration:

  export JIRA_API_TOKEN="your-token"
  export GITHUB_TOKEN="your-token"

• Add .env files to .gitignore if using them

Before sharing session exports with teammates:

• Check for accidentally included credentials or sensitive data
• Review conversation history for confidential information
• Session exports include full conversation history - sanitize if needed

• Ensure your JIRA_URL configuration points to your legitimate JIRA instance
• Verify SSL certificates are valid (don't use --insecure curl flags)

• Regularly update DevAIFlow: pip install --upgrade devaiflow
• Subscribe to GitHub releases for security notifications
• Review CHANGELOG.md for security-related updates

DevAIFlow stores session data in:

• $DEVAIFLOW_HOME/ - Session metadata and configuration
• ~/.claude/projects/ - Claude Code conversation files

Ensure these directories have appropriate permissions:

chmod 700 $DEVAIFLOW_HOME
chmod 700 ~/.claude

• Session data (including JIRA keys, conversation history) is stored unencrypted in $DEVAIFLOW_HOME/
• Conversation files are stored in ~/.claude/projects/
• Mitigation: Use full-disk encryption and appropriate file permissions

• API tokens are read from environment variables
• Tokens are used in HTTP requests to JIRA/GitHub/GitLab
• Mitigation: Tokens are not logged or stored by DevAIFlow; use secure token storage solutions for your environment

• Session names and JIRA keys are used in git commands and file paths
• Input validation is performed, but shell operations carry inherent risks
• Mitigation: Avoid special characters in session names; use JIRA key format validation

• Exported session files contain full conversation history
• Files are not encrypted during export
• Mitigation: Review exports before sharing; use secure channels for transmission

We provide security updates for:

Older versions may receive critical security fixes on a case-by-case basis.

• GitHub: @itdove
• Security Advisories: https://github.com/itdove/devaiflow/security/advisories

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be credited in:

• Security advisory
• CHANGELOG.md
• GitHub release notes (if desired)

Thank you to these security researchers who have helped improve DevAIFlow:

• No vulnerabilities reported yet

Remember: When in doubt about whether something is a security issue, please report it privately. We'd rather investigate a false positive than miss a real vulnerability.