swallow/maestro
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
maestro/SECURITY.md
oss-sync c526adddc2
Some checks failed
CI / build-and-test (push) Has been cancelled
Details
sync: update from private repo (402599f)
2026-06-04 13:41:33 +00:00

1.1 KiB
Raw Blame History

Security Policy

Supported Versions

Security fixes are applied to the latest release and the main branch.

Reporting a Vulnerability

Do not open a public issue for an undisclosed vulnerability. Use the repository host's private security-reporting feature when available, or contact the repository owner privately. Include affected versions, impact, reproduction steps, and any suggested mitigation. Maintainers should acknowledge a report within seven days and coordinate disclosure after a fix is available.

Deployment Baseline

MAESTRO can execute tools, browser actions, and optionally SSH commands. Treat it as a privileged service:

  • Keep the service bound to localhost until OAuth authentication is configured.
  • Put internet-facing deployments behind a TLS reverse proxy.
  • Set safety.bash_sandbox: always for multi-user deployments.
  • Keep MCP_ENCRYPTION_KEY, OAuth secrets, SSH keys, and provider credentials outside the repository and rotate them after suspected exposure.
  • Restrict /metrics with a bearer token or an explicit source-IP allowlist.
  • Review enabled tools and integrations before granting access to untrusted users.