We release patches for security vulnerabilities for the following versions:

We take the security of Motus seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via GitHub Security Advisories: https://github.com/motus-os/motus/security/advisories

You should receive a response within 48 hours.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

• Type of issue (e.g., buffer overflow, SQL injection, path traversal, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

We prefer all communications to be in English.

When we receive a security bug report, we will:

1. Confirm the problem and determine the affected versions
2. Audit code to find any potential similar problems
3. Prepare fixes for all supported versions
4. Release new versions and publish advisories

When using Motus:

• Runtime Session Data: Optional adapter surfaces may read local runtime session files or traces. Those artifacts can contain sensitive information about your codebase and should be treated as local secrets.
• Optional Hooks and Integrations: If you enable runtime-specific hooks or adapters, review the local configuration changes before approving them.
• Trace Files: Local trace or evidence artifacts stored under ~/.motus/ may contain sensitive information. Secure this directory appropriately.
• Local Store: .motus/kernel-store.db contains local run/event facts and receipt projection inputs. Treat local Store files and exports as sensitive work evidence.
• Compatibility DB: older Motus releases may have created ~/.motus/coordination.db. Treat it as sensitive local state, but do not use it as the default 0.5.x Store truth. Current compatibility commands should keep any legacy coordination state explicit and project-local.

• Dependabot security updates are enabled for /packages/cli advisories.
• Routine version-bump PRs are disabled to avoid chore churn.
• Any dependency update is opened manually as a scoped maintenance CR when needed.
• Major updates always require explicit human review and approval.

The following issues have been reviewed and are explicitly accepted as low-risk for a localhost-first developer tool. Do not re-review these unless the threat model changes.

• Location: packages/cli/src/motus/commands/utils.py
• Issue: String parsing to decode runtime-specific path tokens from local session metadata.
• Why Accepted: Inputs originate from local runtime metadata the user already trusts.

• Location: packages/cli/src/motus/commands/utils.py
• Issue: Regex-based redaction cannot guarantee coverage of all proprietary key formats.
• Why Accepted: Redaction is defense-in-depth; users must still avoid emitting sensitive data into prompts/logs.

• Location: packages/cli/src/motus/hooks.py
• Issue: Optional hook execution assumes local workstation trust.
• Why Accepted: Motus is designed for local, user-controlled environments, not hostile multi-tenant execution.

For future reviewers: Re-evaluate this section if Motus introduces remote-hosted execution or non-local default transports.

If you have suggestions on how this process could be improved, please submit a pull request.