Only the latest minor line of forgekit receives security updates.
| Version | Supported |
|---|---|
| 0.5.x | ✅ Yes |
| < 0.5 | ❌ No |
Do not open a public issue for security vulnerabilities.
Report privately via GitHub's private vulnerability reporting ("Report a vulnerability" under the Security tab).
Include: a description and impact, steps to reproduce (a minimal PoC is ideal), and the forgekit + Node.js versions affected.
- We aim to acknowledge reports within 72 hours.
- Fixes ship as a patch release; reporters are credited in the changelog unless they prefer to remain anonymous.
forgekit's own skill-gate (forge scan) vets third-party skills/MCP servers for
prompt-injection / RCE / exfil before install, and its guards block secret-file
writes and redact secrets from tool output. These reduce, but do not eliminate,
supply-chain risk — always review a third-party skill/plugin before installing it.
In scope: the forgekit CLI and its emitters/guards; the skill-gate scanner
(including prompt-injection patterns forge scan should catch but doesn't); secret
handling in guards; the published npm package (@codewithjuber/forgekit) and its
install channels; the team ledger's integrity properties (below); the supply chain of
our own dev dependencies.
Out of scope: vulnerabilities in the third-party tools Forge configures (Claude Code, Cursor, Codex, …) or the MCP servers/skills you choose to install — report those upstream. Forge reduces risk (vetting before install, secret redaction, sandbox wiring) but is not itself a sandbox.
The team ledger (proof-carrying memory) is shared, mergeable state — so it is designed to resist forged confidence, not just corruption:
- Content-addressed claims. A claim's id is the hash of its canonical JSON bytes.
forge ledger verifyrecomputes every content hash and reports any record whose bytes don't match its address as tampered/invalid. - Oracle weights are never trusted from records.
val()re-reads each oracle's weight from the in-codeORACLEStable at read time; awfield stored in an evidence record is audit metadata only. A forged record cannot grant itself extra weight. - Append-only, hash-deduped evidence logs. Merge is a conflict-free set union; corrupt or unknown-oracle lines are skipped rather than counted. Confidence is earned from valid evidence, never asserted by a record.
Protocol details: docs/plans/substrate-v2/01-pcm-protocol.md.
A way to make the ledger report a val its evidence doesn't support is a security bug —
report it.
- Require 2FA for anyone with write access; use least-privilege tokens.
- Branch-protect
master: require PR + green CI + review; block force-push. - Enable GitHub secret scanning + push protection (Settings → Code security). In CI:
CodeQL (
.github/workflows/codeql.yml— advanced setup, so keep default setup off), gitleaks (security.yml, blocking), and OSSF Scorecard (scorecard.yml). - Dependency updates land via Dependabot (7-day cooldown); the
dependency-reviewjob blocks PRs that introduce known-vulnerable or disallowed-license dependencies. - Releases publish from CI with npm provenance (OIDC) + a scoped
NPM_TOKEN— never a long-lived token in code.
forgekit's controls map to the 2026 baselines:
OWASP LLM Top 10
- Prompt injection / supply chain (LLM01/03/05):
forge scan(skill-gate) blocks injection / RCE / exfil in a skill or MCP config before install. - Insecure output handling / sensitive-info disclosure (LLM02/06): the
secret-redactguard masks keys in tool output;protect-pathsblocks secret-file reads/writes. - Excessive agency (LLM08): guards enforce least privilege + human-in-the-loop
(
permissionDecisiondeny/ask);forge hardenwires the OS sandbox. - Unbounded consumption / model DoS (LLM10): the cost governor + doom-loop breaker cap runaway spend and thrash.
- Output integrity:
forge verify(tests + hallucinated-symbol + provenance) treats AI output as untrusted and requires evidence before merge.
NIST SSDF (SP 800-218): prepare (this policy + GOVERNANCE); protect (zero-dep, signed provenance, branch protection); produce (CI gate: lint / type / test / audit / dependency-review); respond (this reporting process + Dependabot).
SLSA: releases publish from CI with npm provenance (build attestation). Pin third-party GitHub Actions to commit SHAs before adding any.