Skip to content

Security: mpiton/forgent

Security

SECURITY.md

Security Policy — Forgent

Supported versions

Only the latest stable version receives security patches.

Version Supported
latest v0.x (pre-1.0) Yes
earlier versions No

Reporting a vulnerability

Never open a public issue for a vulnerability.

Contact privately:

Include:

  • Problem description
  • Reproduction steps
  • Estimated impact
  • (Optional) suggested fix

Response within 72h. Coordinated disclosure after patch.

Attack surface

Forgent is a Claude Code CLI orchestrator; the main attack surface is:

  1. Command injection via F-086 prompts: editable agent prompts could inject shell through {{var}} variables. Mitigation: strict sanitization in domain/security/tool_input_validator.rs + shell-quoting escape before PTY injection.
  2. Path traversal: FS operations must stay under <project>/.claude/forgent/ or ~/.forgent/. Mitigation: domain/security/path_containment.rs (canonicalize + prefix check).
  3. Malicious bash execution: Claude Code CLI may generate destructive commands. Mitigation: domain/security/bash_validator.rs (AST parser + denylist).
  4. Secret leakage: GitHub OAuth tokens, sensitive file content. Mitigation: domain/security/secret_scanner.rs + tracing redaction layer.
  5. MCP: handled entirely by Claude Code CLI. No MCP surface on Forgent side.

Guarantees

  • No Claude OAuth on Forgent side: no Anthropic credential stored, no direct api.anthropic.com calls.
  • GitHub OAuth only: token encrypted via OS keyring (macOS Keychain / Windows Credential Manager / Linux Secret Service).
  • Strict webview CSP: default-src 'self'; connect-src 'self' tauri: https://api.github.com.
  • Signed updater: ed25519, public key embedded, refused if signature invalid.
  • Scoped Tauri capabilities: FS allowlist limited to ~/.forgent/** and **/.claude/forgent/**, HTTP allowlist limited to GitHub + code.claude.com.
  • CI secrets-scan: rejects .env/.pem/.key/.p12/.pfx files in repo + greps known API key patterns.

Dependency audit

  • cargo deny check runs in CI (licenses + bans + RustSec advisories) → blocks build on known vulnerability, banned crate, or non-AGPL-compatible license. Uses the same RustSec advisory DB as cargo-audit and supersedes it.
  • pnpm audit may be added manually (not in CI as oxlint does not cover dep security).

User hardening

  • Run claude doctor to verify Claude Code CLI auth regularly.
  • Do not commit <project>/.claude/forgent/ if the project is private (.gitignore does not exclude it by default; user decides).
  • Enable auto-update to receive security patches.

There aren't any published security advisories