If you find a security vulnerability, please report it privately:

Email: jason@jasonpaulmichaels.co

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

Do not open a public issue for security vulnerabilities. I'll respond within 48 hours and work with you on a fix before any public disclosure.

SweepOS handles file deletion and system commands. Security is a core concern:

• Context isolation is enabled. The renderer has no direct Node.js access.
• Path allowlist in safety.ts restricts deletions to known safe directories.
• Symlinks are resolved before any operation. Targets outside the allowlist are rejected.
• No shell interpolation. All commands use execFile with argument arrays.
• Privileged operations use pkexec for graphical authentication.
• Delete logging. Every delete is recorded to ~/.config/sweepOS/clean-history.json.
• CSP headers restrict content sources in production builds.