Only the current minor release line gets security fixes. Older releases may be yanked from PyPI rather than patched.
| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| < 0.5 | ❌ (legacy projctl / projhub releases — please upgrade) |
Do NOT open a public GitHub issue for security vulnerabilities.
Please use one of:
- GitHub private vulnerability reporting (preferred): https://github.com/FelipeCarillo/holoctl/security/advisories/new
- Email the maintainer directly (address in commit history).
Include:
- Description of the vulnerability and where it lives (file:line if you have it).
- Steps to reproduce.
- Potential impact — local read? local write? remote?
- A suggested fix if you have one.
We aim to acknowledge within 72 hours and ship a fix within 14 days for critical issues. We will credit you in the release notes unless you prefer to stay anonymous.
holoctl is a local development tool. It runs on your machine, reads and writes inside the workspace you point it at, and (when you run holoctl serve) opens a web server bound to localhost only by default. It does not make outbound network calls except via pip / uv during installation.
| Vector | Mitigation |
|---|---|
Untrusted .holoctl/config.json in a cloned repo |
Config is JSON, parsed with the stdlib parser. No code execution path from config values. The commands.boardCli field is not exec'ed by holoctl itself — it is documentation embedded into compiled instructions for AI tools. |
| Untrusted ticket files with malicious frontmatter | Frontmatter is YAML-style key:value pairs parsed by a small in-house parser (markdown.js / markdown.py) that does not execute YAML tags. Values are treated as strings. |
| Untrusted compile output overwriting user files | compile writes to fixed, documented paths (CLAUDE.md, .claude/commands/, etc.). Each generated file starts with <!-- Generated by holoctl. Do not edit directly. Source: .holoctl/ -->. Users running compile should expect those paths to be overwritten. |
holoctl serve exposing internal state on the network |
Default bind is 127.0.0.1 (localhost). --host 0.0.0.0 requires explicit opt-in. The dashboard has no auth — do not expose to the public internet without putting it behind a reverse proxy with auth. |
Auto-rename of .projctl/ or .projhub/ → .holoctl/ |
Triggered only when loadConfig/saveConfig runs. Will NOT overwrite an existing .holoctl/. If both legacy and canonical dirs exist, legacy is left untouched. |
Subprocess: git for repo info |
git rev-parse, git status --porcelain, git log -1, git remote get-url origin. All called via stdlib subprocess with fixed argv — no shell, no string interpolation. Cwd is the discovered subdir. |
| Subprocess: none other | holoctl does not exec arbitrary commands from config or tickets. |
| Filesystem traversal | discover_repos is depth-1 only. Does not follow symlinks into parent dirs. |
- Multi-tenant or untrusted-user environments. Treat the workspace dir as fully trusted.
- Public-facing deployments of
holoctl serve. - Storing secrets in
.holoctl/. The dir is meant to be checked into git.
If you find behavior that contradicts the above, please report it.