Report security issues privately to:
info@xhesam.com
Do not open public GitHub issues for vulnerabilities.
Daryaft will download files from user-provided URLs. It must never execute downloaded files automatically. Future features that run hooks, execute commands, or scan files must be explicit opt-in features.
Read:
docs/architecture/security-model.mddocs/features/security-and-validation.mddocs/engineering/error-model.md
Self-update is planned but not implemented. When added, it must verify checksums before replacing the binary and attempt rollback if replacement fails.