If you discover a security vulnerability in EnvForge, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email: security@envforge.dev (or use GitHub Security Advisories)
3. Include: description, reproduction steps, potential impact
4. We aim to respond within 48 hours

• File integrity — Atomic writes prevent corruption. SHA-256 hash verification.
• No data loss — Soft-delete only. Original content preserved as comments.
• Secret masking — Sensitive values never displayed in plain text by default.
• Encryption at rest — Optional age encryption for sensitive values.
• Credential isolation — All provider credentials passed via environment variables or stdin pipes (never CLI flags) to prevent /proc/PID/cmdline leakage.
• Error sanitization — CLI error output is sanitized to redact credential patterns before logging or display.

• Runtime memory — Decrypted values exist in memory during session
• Terminal history — CLI commands with values may appear in shell history
• Clipboard — Copied values are in system clipboard (not cleared automatically)
• CLI binary integrity — EnvForge does not verify GPG signatures of provider CLIs. A compromised binary in PATH could exfiltrate secrets. Verify binary integrity yourself.
• Cache on disk — Secret cache files are encrypted at rest with 0600 permissions, but are plaintext TOML within the file. Protect your home directory.

• Algorithm: X25519 (via age crate, plugin feature disabled)
• Key storage: ~/.config/envforge/age.key with 0600 permissions (auto-corrected if permissive)
• Encrypted format: ENC[age:base64data] stored in shell files
• Key generation: Automatic on first encrypt command
• RUSTSEC-2024-0433 mitigation: age crate compiled without plugin feature; arbitrary code execution vector eliminated

EnvForge automatically audits dependencies daily using cargo audit and cargo deny via GitHub Actions. Key security-relevant dependencies:

• age — Encryption (well-audited, widely used, plugin feature disabled)
• sha2 — File integrity hashing
• tempfile — Atomic write operations
• serde_norway — YAML serialization (replaces deprecated serde_yaml)

We employ several automated tools to maintain a high security standard:

• Cargo Audit: Checks for known vulnerabilities in our dependency tree daily.
• Cargo Deny: Enforces license compliance and bans problematic crates.
• Dependabot: Automatically manages dependency updates to keep us on the latest secure versions.
• CodeQL: Performs static analysis to detect potential security vulnerabilities in the codebase.
• CLI Binary Audit: Weekly CI check verifying installed versions of the 13 provider CLI binaries against minimum requirements.

All 13 secret providers use external CLI binaries. EnvForge passes credentials via environment variables or stdin (never CLI flags) to prevent credential leakage via /proc/PID/cmdline.