Reporting a Vulnerability Do not open a public GitHub issue for security vulnerabilities.
Email security@blackroad.io
Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if any)
Phase
Timeline
Initial response
24 hours
Triage and assessment
72 hours
Fix development
7-14 days
Coordinated disclosure
90 days
Version
Status
Latest on main
Active support
Previous releases
Security fixes only
All LLM provider communication flows through the tokenless gateway. Agents never embed API keys.
Agent --> Gateway (localhost:8787) --> Provider (Ollama / Claude / OpenAI)
Component
Method
API
JWT via auth.blackroad.io
CLI
Token-based
Fleet SSH
Public key authentication
Cloudflare Workers
Wrangler auth
MCP Bridge
Bearer token
Cloudflare Tunnel terminates TLS for all public endpointsWireGuard encrypts all inter-node traffic (10.8.0.x mesh)Pi-hole filters DNS on the fleetUFW on Lucidia (INPUT DROP policy)NOPASSWD sudo limited to operational users on each nodeSecrets stored in ~/.blackroad/ with 600 permissions, never in code
Scan
Tool
Frequency
Static analysis
CodeQL
Every PR
Dependencies
Dependabot
Daily
Secret detection
GitHub Secret Scanning
Every commit
Shell linting
ShellCheck
CI on every push
Never commit secrets, tokens, or credentials
Use environment variables or .env files (gitignored)
Use parameterized queries for all database access
Validate input at system boundaries
Keep dependencies updated (npm audit, pip-audit)
In Scope
Out of Scope
*.blackroad.io
Third-party services
API endpoints
Social engineering
Agent infrastructure
Physical access attacks
Authentication and authorization
Denial of service
BlackRoad OS, Inc. -- Pave Tomorrow.