Security fixes are prioritized for the latest published release and the default branch.
| Version | Supported |
|---|---|
| latest npm release | ✅ |
| current default branch | ✅ |
| older releases | |
| untagged forks | ❌ |
Please do not open a public GitHub issue for suspected security vulnerabilities.
Instead, report privately via one of these paths:
- GitHub Security Advisories / private vulnerability reporting for this repository, if enabled.
- Email the maintainer listed in
MAINTAINERS.mdwith:- affected version
- impact summary
- reproduction steps
- logs / screenshots / proof-of-concept if available
Please include:
- package version (
npm view @codexstar/pi-agent-teams versionor localpackage.json) - Pi version / environment
- operating system
- whether the issue affects leader mode, worker mode, hooks, worktrees, or CI
- minimal reproduction steps
- expected behavior vs actual behavior
Targets are best effort:
- initial acknowledgement: within 3 business days
- triage decision: within 7 business days
- fix timeline: depends on severity and reproducibility
Relevant security areas for this project include:
- task and mailbox state handling
- hook execution and environment propagation
- process lifecycle and shutdown behavior
- worktree setup / cleanup safety
- path traversal or unsafe filesystem mutation
- privilege boundary assumptions in leader/worker coordination
Out of scope unless they produce a concrete exploit path:
- generic rate-limiting suggestions
- missing audit logs by themselves
- theoretical DoS without demonstrated amplification or meaningful business impact