GreyforgeLabs
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 6 additions & 2 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎.github/workflows/publish-pypi.yml‎
Lines changed: 40 additions & 4 deletions b/‎.github/workflows/publish-pypi.yml‎
Lines changed: 40 additions & 4 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 12 additions & 6 deletions b/‎.github/workflows/release.yml‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 12 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 9 additions & 1 deletion b/‎README.md‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎SECURITY.md‎
Lines changed: 6 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/devcap/cli.py‎
Lines changed: 31 additions & 9 deletions b/‎src/devcap/cli.py‎
Lines changed: 31 additions & 9 deletions
diff --git a/‎src/devcap/formatters.py‎
Lines changed: 23 additions & 14 deletions b/‎src/devcap/formatters.py‎
Lines changed: 23 additions & 14 deletions
@@ -6,15 +6,19 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     strategy:
       matrix:
         python-version: ["3.11", "3.12"]
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
       - run: python -m pip install --upgrade pip
 
@@ -6,7 +6,7 @@ on:
       ref:
         description: "Git ref to publish. Use a release tag such as v0.1.0."
         required: true
-        default: "main"
+        default: "v0.1.0"
 
 permissions:
   contents: read
@@ -15,20 +15,56 @@ permissions:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     environment:
       name: pypi
       url: https://pypi.org/p/devcap
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.ref }}
-      - uses: actions/setup-python@v6
+          fetch-depth: 0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.12"
+      - name: Validate publish tag matches project version
+        env:
+          PUBLISH_REF: ${{ inputs.ref }}
+        run: |
+          set -euo pipefail
+
+          case "$PUBLISH_REF" in
+            v[0-9]*.[0-9]*.[0-9]*) ;;
+            *)
+              echo "Publish ref must be a version tag like v0.1.0"
+              exit 1
+              ;;
+          esac
+
+          TAG_VERSION="${PUBLISH_REF#v}"
+          PROJECT_VERSION="$(python - <<'PY'
+          import tomllib
+          with open("pyproject.toml", "rb") as handle:
+              data = tomllib.load(handle)
+          print(data["project"]["version"])
+          PY
+          )"
+
+          if [ "$TAG_VERSION" != "$PROJECT_VERSION" ]; then
+            echo "Publish tag $TAG_VERSION does not match project.version $PROJECT_VERSION"
+            exit 1
+          fi
+
+          HEAD_SHA="$(git rev-parse HEAD)"
+          TAG_SHA="$(git rev-list -n 1 "$PUBLISH_REF")"
+          if [ "$HEAD_SHA" != "$TAG_SHA" ]; then
+            echo "Checked-out commit does not match tag $PUBLISH_REF"
+            exit 1
+          fi
       - run: python -m pip install --upgrade pip
       - run: python -m pip install -e ".[dev]"
       - run: python -m ruff check .
       - run: python -m pytest
       - run: python -m build
       - run: python -m twine check dist/*
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
@@ -6,18 +6,21 @@ on:
       - "v*"
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.12"
       - name: Validate tag matches project version
         run: |
+          set -euo pipefail
+
           TAG_VERSION="${GITHUB_REF_NAME#v}"
           PROJECT_VERSION="$(python - <<'PY'
           import tomllib
@@ -37,20 +40,23 @@ jobs:
       - run: python -m pytest
       - run: python -m build
       - run: python -m twine check dist/*
-      - uses: actions/upload-artifact@v8
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: dist
           path: dist/*
 
   github-release:
     needs: build
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: dist
           path: dist
-      - uses: softprops/action-gh-release@v2
+      - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
         with:
           files: dist/*
           generate_release_notes: true
@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/), and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [Unreleased]
+
+### Security
+
+- Validate custom TOML profile schema, command fields, service names, and profile size before scanning.
+- Reject high-risk custom interpreter commands and shell-control characters in custom version flags.
+- Skip vendored/project-local PATH segments by default; add `--include-vendored` for trusted checkouts.
+- Add `--redact` to replace hostnames and executable paths before public sharing.
+- Sanitize terminal control sequences and Markdown table delimiters in human-readable output.
+- Add `systemctl --` argument separation for service checks and process-group cleanup on scan timeouts.
+- Harden GitHub Actions release/publish workflows with pinned action commits, tag/version checks, job timeouts, and narrower permissions.
+
 ## [0.1.0] - 2026-04-06
 
 ### Added
 
@@ -36,6 +36,9 @@ devcap scan --format json
 # Markdown tables (paste into docs)
 devcap scan --format markdown
 
+# Public-safe metadata: suppress hostname and executable paths
+devcap scan --format markdown --redact
+
 # Scan only Python-related tools
 devcap scan --profile python-dev
 
@@ -45,6 +48,9 @@ devcap check --profile devops
 # Custom profile
 devcap scan --config my-tools.toml
 
+# Include project-local/vendor PATH entries such as node_modules/.bin or .venv/bin
+devcap scan --profile node-dev --include-vendored
+
 # List available profiles
 devcap list-profiles
 ```
@@ -91,6 +97,8 @@ version_flag = "-v"
 
 Tools listed in the registry inherit their detection config automatically. Custom tools need `binary` and optionally `version_flag`.
 
+Custom profiles execute local binaries to collect versions. Treat profiles from third-party repositories like code, not passive data. By default, `devcap` rejects interpreter-style custom commands and skips vendored/project-local PATH entries such as `node_modules`, `.venv`, `venv`, `__pypackages__`, `.tox`, and `.nox`; use `--include-vendored` only when you trust the checkout being scanned.
+
 ## Output Formats
 
 **Text** (default) — columnar, human-readable:
@@ -113,7 +121,7 @@ Tools listed in the registry inherit their detection config automatically. Custo
 }
 ```
 
-**Markdown** — tables for documentation or READMEs.
+**Markdown** — tables for documentation or READMEs. Terminal control sequences and Markdown table delimiters from tool output are sanitized before display, but environment inventory can still reveal hostnames, paths, installed tools, and service status. Use `--redact` to replace hostname and executable paths before publishing output.
 
 ## Exit Codes
 
 
@@ -24,6 +24,12 @@ Instead, use one of these methods:
 - Potential impact
 - Suggested fix (if you have one)
 
+## Local Scan Boundary
+
+`devcap` is a local inventory tool. It executes discovered binaries with version flags, so custom profiles and PATH entries from untrusted repositories must be treated as executable inputs. The default scanner rejects high-risk custom interpreter commands, skips vendored/project-local PATH segments unless `--include-vendored` is set, validates custom profile schema, separates `systemctl` options from service names, and sanitizes terminal/Markdown display output.
+
+Inventory output may include hostnames, OS details, executable paths, tool versions, and service state. Use `--redact` to suppress hostname and executable paths, then review JSON, text, and Markdown output before publishing it or uploading it as a public artifact.
+
 ## Response Timeline
 
 - **Acknowledgment**: Within 48 hours
 
@@ -7,7 +7,7 @@
 
 from .formatters import FORMATTERS
 from .profile_loader import list_builtin_profiles, load_builtin_profile, load_custom_profile
-from .scanner import scan_tools
+from .scanner import redact_scan, scan_tools
 
 
 def main(argv: list[str] | None = None) -> int:
@@ -72,6 +72,19 @@ def _add_scan_arguments(parser: argparse.ArgumentParser) -> None:
         action="store_true",
         help="Disable parallel scanning (useful for debugging)",
     )
+    parser.add_argument(
+        "--include-vendored",
+        action="store_true",
+        help=(
+            "Allow executables from vendored/project-local PATH segments such as "
+            "node_modules or .venv"
+        ),
+    )
+    parser.add_argument(
+        "--redact",
+        action="store_true",
+        help="Replace hostname and executable paths with [redacted] in output",
+    )
 
 
 def _cmd_list_profiles() -> int:
@@ -86,24 +99,33 @@ def _cmd_list_profiles() -> int:
 
 def _cmd_scan(args: argparse.Namespace) -> int:
     # Load profile
-    if args.config:
-        profile = load_custom_profile(args.config)
-    elif args.profile:
-        try:
+    try:
+        if args.config:
+            profile = load_custom_profile(args.config)
+        elif args.profile:
             profile = load_builtin_profile(args.profile)
-        except FileNotFoundError:
+        else:
+            profile = load_builtin_profile("full")
+    except FileNotFoundError:
+        if args.profile:
             print(f"Error: unknown profile '{args.profile}'", file=sys.stderr)
             print(f"Available: {', '.join(list_builtin_profiles())}", file=sys.stderr)
-            return 2
-    else:
-        profile = load_builtin_profile("full")
+        else:
+            print(f"Error: profile not found: {args.config}", file=sys.stderr)
+        return 2
+    except ValueError as exc:
+        print(f"Error: invalid profile: {exc}", file=sys.stderr)
+        return 2
 
     # Scan
     result = scan_tools(
         tools=profile.tools,
         services=profile.services,
         parallel=not args.no_parallel,
+        include_vendored=args.include_vendored,
     )
+    if args.redact:
+        result = redact_scan(result)
 
     # Format and print
     formatter = FORMATTERS[args.format]
 
@@ -5,6 +5,7 @@
 import json
 
 from .registry import CATEGORIES
+from .safe_text import clean_text, markdown_cell, markdown_inline_code
 from .scanner import ScanResult, ToolResult
 
 
@@ -25,9 +26,11 @@ def _group_by_category(results: list[ToolResult]) -> dict[str, list[ToolResult]]
 
 def format_text(scan: ScanResult) -> str:
     """Format scan results as human-readable columnar text."""
+    hostname = clean_text(scan.hostname, max_length=120)
+    timestamp = clean_text(scan.timestamp, max_length=80)
     lines = [
-        f"devcap scan — {scan.hostname} — {scan.timestamp}",
-        f"Platform: {scan.platform}",
+        f"devcap scan — {hostname} — {timestamp}",
+        f"Platform: {clean_text(scan.platform, max_length=160)}",
         "",
     ]
 
@@ -36,23 +39,25 @@ def format_text(scan: ScanResult) -> str:
         found = [t for t in tools if t.found]
         missing = [t for t in tools if not t.found]
 
-        lines.append(f"=== {category} ===")
+        lines.append(f"=== {clean_text(category, max_length=80)} ===")
         if found:
             for t in found:
-                version = t.version or "?"
-                lines.append(f"  {t.name:<16} {version:<20} {t.path}")
+                name = clean_text(t.name, max_length=32)
+                version = clean_text(t.version or "?", max_length=80)
+                path = clean_text(t.path or "", max_length=240)
+                lines.append(f"  {name:<16} {version:<20} {path}")
         if missing:
             lines.append("  Missing:")
             for t in missing:
-                lines.append(f"    {t.name}")
+                lines.append(f"    {clean_text(t.name, max_length=80)}")
         lines.append("")
 
     if scan.services:
         lines.append("=== Services ===")
         for svc in scan.services:
             status = "running" if svc.active else "stopped"
             suffix = " (user)" if svc.user_service else ""
-            lines.append(f"  [{status}] {svc.name}{suffix}")
+            lines.append(f"  [{status}] {clean_text(svc.name, max_length=120)}{suffix}")
         lines.append("")
 
     found_count = sum(1 for r in scan.results if r.found)
@@ -69,10 +74,12 @@ def format_json(scan: ScanResult) -> str:
 
 def format_markdown(scan: ScanResult) -> str:
     """Format scan results as markdown tables."""
+    timestamp = markdown_cell(scan.timestamp, max_length=80)
+    platform = markdown_cell(scan.platform, max_length=160)
     lines = [
-        f"# Development Environment — {scan.hostname}",
+        f"# Development Environment — {markdown_cell(scan.hostname, max_length=120)}",
         "",
-        f"> Scanned: {scan.timestamp} | Platform: {scan.platform}",
+        f"> Scanned: {timestamp} | Platform: {platform}",
         "",
     ]
 
@@ -81,17 +88,19 @@ def format_markdown(scan: ScanResult) -> str:
         found = [t for t in tools if t.found]
         missing = [t for t in tools if not t.found]
 
-        lines.append(f"## {category}")
+        lines.append(f"## {markdown_cell(category, max_length=80)}")
         lines.append("")
         if found:
             lines.append("| Tool | Version | Path |")
             lines.append("|------|---------|------|")
             for t in found:
-                version = t.version or "?"
-                lines.append(f"| {t.name} | {version} | {t.path} |")
+                name = markdown_cell(t.name, max_length=80)
+                version = markdown_cell(t.version or "?", max_length=80)
+                path = markdown_cell(t.path or "")
+                lines.append(f"| {name} | {version} | {path} |")
             lines.append("")
         if missing:
-            missing_names = ", ".join(f"`{t.name}`" for t in missing)
+            missing_names = ", ".join(markdown_inline_code(t.name) for t in missing)
             lines.append(f"**Not installed**: {missing_names}")
             lines.append("")
 
@@ -103,7 +112,7 @@ def format_markdown(scan: ScanResult) -> str:
         for svc in scan.services:
             status = "running" if svc.active else "stopped"
             suffix = " (user)" if svc.user_service else ""
-            lines.append(f"| {svc.name}{suffix} | {status} |")
+            lines.append(f"| {markdown_cell(svc.name, max_length=120)}{suffix} | {status} |")
         lines.append("")
 
     return "\n".join(lines)