Queenshift is a bounded experimental coding CLI, and security reports are welcome.
The goal is to make responsible reporting easy without asking reporters to guess the right lane.
- workspace escape or filesystem-boundary bypass
- destructive command execution outside documented boundaries
- secret leakage, credential exposure, or unsafe artifact publication
- unintended network exfiltration or auth confusion
- install, wrapper, or CLI behavior that creates real security impact
- bounded refusals or unsupported task families
- normal product bugs without security impact
- roadmap or feature-scope requests
Use the public bug template for normal bugs and the task-family template for scope requests.
- prefer a private vulnerability-reporting surface if this repo provides one
- if no private security surface is available yet, open a minimal public issue without exploit details and ask for a private follow-up channel before sharing proof-of-concept, secrets, or sensitive repo data
- include the version, install surface, operating system, exact commands, impact, and relevant artifact paths
- redact tokens, customer data, and private repo material
Maintainers review outside pull requests conservatively.
For the current maintainer workflow, GitHub settings baseline, and local-review safety rules, use MAINTAINER_PR_SECURITY.md.
- acknowledge real security reports quickly
- reproduce the issue with the smallest bounded proof
- ship the smallest safe fix or mitigation first
- coordinate disclosure after the fix path is clear