Security
TameAGENTS treats workspace guidance with the same care as source code. Follow the guidelines from SECURITY.md (summarized below) when reporting issues or hardening deployments.
Practices
Coordinated disclosure
Report vulnerabilities via GitHub Security Advisories or email security@tameagents.dev. We aim to respond within 2 business days.
Least privilege packaging
The VS Code extension ships without bundled dependencies and requests the minimum activation events needed to read agents.md.
Reproducible builds
Every release is built via pnpm workspaces with locked dependencies. Docker images use Next.js standalone output for smaller attack surface.
Reporting flow
- Email security@tameagents.dev or open a private GitHub Security Advisory.
- Include affected versions, reproduction steps, and whether the issue impacts the CLI, VS Code extension, or website.
- Allow us time to triage and ship a fix before publishing details.
Need PGP? Import the key listed in SECURITY.md. We also document dependency update cadences in ROADMAP.md to keep supply chain risks obvious.