Skip to content

Security: MayberryDT/executioner

Security

SECURITY.md

Security Policy

Executioner may handle sensitive personal and operational context. Please report suspected vulnerabilities privately so they can be investigated before details are public.

Reporting

Email: tyler@animasai.co

Do not open public issues or pull requests for:

  • Credentials, secrets, access keys, webhook secrets, service-role keys, or model keys.
  • Authentication bypasses, session handling flaws, or account-access bugs.
  • Stripe checkout, portal, entitlement, or webhook bugs.
  • Supabase RLS, database access, service-role usage, account deletion, or data-retention flaws.
  • Brain dump, transcription, or prompt behavior that could leak sensitive user context.
  • Private user data, customer data, screenshots, logs, or brain dump content.

Please include:

  • A short description of the issue.
  • Steps to reproduce with test data or a local project when possible.
  • Affected routes, files, APIs, or provider flows.
  • Any logs or screenshots with secrets and personal data removed.

Scope

In scope:

  • React app routes and auth/account-access behavior.
  • Supabase Edge Functions, service-role usage, RLS assumptions, and database access patterns.
  • Stripe checkout, portal creation, and webhook processing.
  • Access-key exchange, initialization, and rotation.
  • Brain dump processing, transcription, model prompts, and data minimization.
  • Account deletion and export behavior.

Out of scope:

  • Marketing copy issues without security impact.
  • Social engineering against maintainers or users.
  • Denial-of-service reports without data access, privilege, billing, or availability impact.
  • Vulnerabilities in third-party services that are not caused by Executioner's integration.
  • Production deployment details that are intentionally not part of this public source release.

Public Repo Boundary

This repository is a public source release for reusable Executioner product logic. It does not include production secrets, customer data, private access links, production provider accounts, or hosted deployment wiring.

If you configure your own providers, use test accounts and keep credentials in .env.local.

Security Posture

Executioner's core security design goals are:

  • Review before commit for AI-generated proposals.
  • Deterministic scheduling rules outside model output.
  • Server-side service-role keys, Stripe secrets, webhook secrets, model keys, and Resend keys.
  • Account access enforced server-side.
  • Public docs and examples that avoid private access links and customer data.

No public source release should be treated as a substitute for your own deployment review. Run tests, audit dependencies, review provider settings, and verify database policies before connecting real accounts.

Vulnerability Handling

Maintainers will acknowledge serious reports as soon as practical, investigate impact, prepare a fix, and publish a disclosure when appropriate. Timing depends on severity, exploitability, and whether third-party providers are involved.

There aren't any published security advisories