aden is pre-1.0. Security fixes are applied to the latest 0.1.x release line
only; there is no backporting to older point releases.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Please do NOT open a public GitHub issue for security vulnerabilities.
Report privately to the maintainer listed in MAINTAINERS.md — currently Ernest Hamblen (RioPlay) rioplay@rioplay.dev. Include:
- a description of the vulnerability and its impact,
- the affected version / commit,
- reproduction steps or a proof-of-concept, and
- any suggested remediation, if you have one.
- Acknowledgement: within 7 days of your report.
- Assessment & triage: we aim to confirm or reject the issue, with a severity assessment, shortly after acknowledgement.
- Coordinated disclosure: we will agree a disclosure timeline with you and credit you in the release notes unless you ask to remain anonymous. Please give us a reasonable window to ship a fix before any public disclosure.
aden is designed to ingest untrusted repositories — it parses, indexes, and assembles context from source it did not author. Its defenses reflect that:
- Path confinement.
include::[]directives and all MCP path arguments (path/out/from) are canonicalized and rejected if they resolve outside the project root — no../../etc/passwdtraversal, no writing outside the workspace. - argv, not shell. Commands are spawned with an explicit argument vector and
a
--end-of-options terminator, so attacker-controlled values cannot be interpreted as flags or injected into a shell. - Per-file panic isolation. A malformed or pathological source file cannot abort an indexing run; parse failures are isolated per file.
- Secret screening at index time. Files are screened by path and by content for structured credentials (AWS/GitHub/OpenAI/Slack keys, PEM private-key blocks) before they enter the graph, so secrets are kept out of generated context.
- Bounded execution. MCP tool invocations are bounded by a command timeout so a single call cannot block indefinitely.
For the full threat table, the include-directive rules, and the secret-scanning
layers, see docs/security-model.adoc.