| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| 0.3.x | ✅ |
| 0.2.x | ✅ |
| < 0.2 | ❌ |
If you discover a security vulnerability in Godspeed, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email Ttimmsinternational@gmail.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You will receive an acknowledgment within 48 hours and a detailed response within 7 days indicating next steps.
Godspeed is built with a security-first architecture:
- 4-tier permission engine: deny-first evaluation (deny > dangerous > session > allow > ask > default)
- Dangerous command detection: 71 regex patterns for destructive operations
- Secret protection: 4-layer defense (access control, context cleaning, output filtering, audit redaction) with 27 regex patterns + Shannon entropy analysis
- Hash-chained audit trail: tamper-evident JSONL logs with SHA-256 chain.
Audit writes fail closed — any I/O error raises
AuditWriteErrorand the chain state does not advance, so a successful retry chains cleanly from the last persisted record. - Fail-closed defaults: permission timeouts result in denial
The following are in scope for security reports:
- Permission bypass (tool executes without proper authorization)
- Audit trail tampering (hash chain can be modified without detection)
- Secret leakage (secrets appear in LLM context, output, or logs)
- Dangerous command bypass (destructive commands execute without detection)
- Prompt injection via GODSPEED.md or tool outputs