Skip to content

docs(security): split git-backup threat model into its own page#74

Merged
fdaviddpt merged 1 commit into
mainfrom
max/security-docs-git-backup
May 25, 2026
Merged

docs(security): split git-backup threat model into its own page#74
fdaviddpt merged 1 commit into
mainfrom
max/security-docs-git-backup

Conversation

@fdaviddpt
Copy link
Copy Markdown
Contributor

@fdaviddpt fdaviddpt commented May 25, 2026

docs(security): split git-backup threat model into its own page

Context

The README "Trust Model" section reads like a CVE advisory and applies all three threats to every install — even though git backup is opt-in. Scares off users who'd never enable backup and don't carry that risk.

Changes

  • README.md — replace the three-bullet trust block with a short paragraph: default install adds no new attack surface beyond Claude Code itself; one-line pointer to the detailed doc for users who opt into git backup.
  • docs/git-backup-security.md (new) — full threat model scoped to the opt-in feature. Leads with the disarmer: ~/.remember/ has the same trust assumptions as ~/.ssh/, ~/.bashrc, ~/.gitconfig — if an attacker can write your home dir as your user, the plugin is the least of your worries. Then the three real concerns specific to git backup, and the recommended setup.

No code changes, no behavior changes.

Why this framing

  • The original list conflated "this plugin is dangerous" with "any home-dir-writable file is dangerous". The second is true and universal; surfacing it disarms the first.
  • Most users will never enable git backup. They shouldn't have to read a threat model for a feature they don't use.
  • The mitigations the plugin already has (remote-URL validation + allow_remote_change) deserve more prominence than they got in the original block.

docs(security): split git-backup threat model into its own page
b70833a 
The README "Trust Model" section read like a CVE advisory and applied
all three threats to every install — even though git backup is opt-in.

Reframe:
- README: short paragraph noting default install adds no new attack
  surface, with a one-line pointer to the detailed doc for git-backup users.
- New docs/git-backup-security.md: full threat model, scoped to the
  opt-in feature. Leads with the disarmer that ~/.remember/ has the
  same trust assumptions as ~/.ssh/, ~/.bashrc, ~/.gitconfig — if an
  attacker can write your home dir as your user, the plugin is the
  least of your worries.

No code changes, no behavior changes.

Co-Authored-By: Max <noreply>
@fdaviddpt fdaviddpt force-pushed the max/security-docs-git-backup branch from 192a9b2 to b70833a Compare May 25, 2026 07:29
@fdaviddpt fdaviddpt merged commit e8a88b9 into main May 25, 2026
4 of 10 checks passed
@fdaviddpt fdaviddpt deleted the max/security-docs-git-backup branch May 25, 2026 07:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fdaviddpt