| Version | Supported |
|---|---|
main |
✅ Yes |
Please do not report security vulnerabilities through public GitHub Issues.
Instead, send a detailed description to the repository maintainers via a GitHub private security advisory.
Please include:
- A description of the vulnerability and its impact
- Steps to reproduce (proof-of-concept code if applicable)
- The affected file(s) and line numbers
- Your suggested remediation (optional but appreciated)
You can expect an acknowledgement within 72 hours and a patch timeline within 14 days for confirmed critical issues.
| Control | Default | Override |
|---|---|---|
DRY_RUN |
true |
Set DRY_RUN=false to enable live execution |
ALLOW_CODE_EVAL |
false |
Set ALLOW_CODE_EVAL=true to permit code_eval actions |
ALLOW_SELF_MODIFICATION |
false |
Set ALLOW_SELF_MODIFICATION=true + DRY_RUN=false to enable LLM self-modification |
API_SECRET |
unset (dev) | Required in NODE_ENV=production; server exits on startup if missing |
| Rate limiting | 20 req/min/IP | Applies to POST /api/command and POST /api/control |
| WebSocket token | Authorization: Bearer header OR ?token= query param |
Prefer header auth; the ?token= method exposes the secret in server access logs |
-
API_SECRETis set to a strong random value -
NODE_ENV=productionis set -
DRY_RUN=trueunless live execution is intentional -
ALLOW_CODE_EVALandALLOW_SELF_MODIFICATIONremainfalseunless required -
MOLTBOOK_WEBHOOK_SECRETis set ifMOLTBOOK_API_URLis configured - The
data/directory is mounted as a persistent volume (never committed to git) - The container runs as the non-root
rseauser (enforced by the Dockerfile) - The SQLite database (
data/memory.db) is backed up regularly (seedocs/runbook.md) - For Kubernetes deployments:
API_SECRETand other credentials are stored as Kubernetes Secrets, not ConfigMaps