This project implements the following security controls:

• No MD5/SHA1 for security purposes (CI enforced)
• SHA256+ required for all cryptographic operations
• Secrets are never logged or stored in plaintext

• HTTPS only - HTTP URLs blocked except localhost (CI enforced)
• No hardcoded secrets in source code (CI enforced via trufflehog)

• Non-root container user (mcp, UID 1000)
• Minimal base image (Chainguard Wolfi)
• No secrets baked into images

• Dependency lockfiles (deno.lock)
• Automated dependency updates (Dependabot)
• CodeQL security scanning
• OpenSSF Scorecard assessment
• Sigstore provenance attestation ready

• All secrets handled via external secret managers (Vault, SOPS)
• Environment variables for configuration (not hardcoded)
• Token lifecycle management delegated to secret backends

DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via:

1. GitHub Security Advisories: Report a vulnerability
2. Email: security@hyperpolymath.dev (if available)

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Any suggested mitigations

• Initial Response: Within 48 hours
• Triage & Assessment: Within 7 days
• Fix Development: Depends on severity
  • Critical: 24-72 hours
  • High: 1-2 weeks
  • Medium/Low: Next release cycle

We follow coordinated disclosure:

• 90-day disclosure deadline
• Public disclosure after fix is released
• Credit given to reporters (unless anonymity requested)

1. Never commit Vault tokens or SOPS keys to version control
2. Use environment variables for VAULT_ADDR and VAULT_TOKEN
3. Rotate secrets regularly using the provided tools
4. Review audit logs in your secret manager
5. Use TLS/mTLS for Vault connections in production