Security Policy¶
Hello and thank you for your interest! 
Supported versions¶
This package is at v0. Only the latest commit on main is supported for security fixes - there are no published releases yet to backport to.
| Version | Supported |
|---|---|
main (latest) |
 |
| any pinned commit |  (upgrade) |
Reporting a vulnerability¶
Please disclose any vulnerabilities by emailing coilysiren@gmail.com. Expect a first response within 48 hours; follow-up cadence by email after that. This project is run on volunteer time, so please have patience 
What counts as a vulnerability¶
cli-web-ops is a CLI-to-RCE bridge by construction. The threat model is the whole product. Specifically interested in:
- listeners binding to a non-Tailscale interface without
DangerouslySkipTailscaleorDangerouslyBindAnywherebeing set - requests reaching the executor (
/run/<tool>) without passing throughAuth.Middleware - form parsing producing arguments that bypass the wrapped tool's JSON Schema validation
- SSE streams leaking state from one operator's session to another
- the
Dangerously*opt-outs combining to enable a bind that none of them individually allowed
Particularly interested in any path where a DangerouslyAllowAllAuth stub configuration ships in production by accident and the binary does not refuse to start.
Out of scope:
- bugs in the upstream MCP server cli-web-ops connects to - report there
- the absence of a default WebAuthn driver in v0 - that is tracked, not a vulnerability