tolo/SECURITY.md

# Security Policy

## Supported Versions

Only the latest version of Tolo receives security updates and bug fixes. Users are strongly encouraged to keep Tolo updated to the latest version.

## Reporting a Vulnerability

If you discover a security vulnerability in Tolo, please report it responsibly.

### How to Report

1. **Do not** create a public issue
2. Send an email to: [security@selamanapps.com](mailto:security@selamanapps.com)
3. Include as much detail as possible:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

### What Happens Next?

- You will receive an acknowledgment within 48 hours
- We will investigate the vulnerability
- We will work with you to develop a fix
- Once fixed, we will coordinate the disclosure

## Security Best Practices

### File Permissions

Tolo stores aliases in `~/.tolo/tolo.db.json`. Ensure this file has appropriate permissions:

```bash
chmod 600 ~/.tolo/tolo.db.json
```

### Sensitive Information

- Avoid storing passwords or API keys directly in aliases
- Use environment variables for sensitive data
- Be careful with commands that contain credentials

### Command Execution

Tolo executes commands exactly as saved. Always verify aliases before running:

```bash
tolo show alias-name
```

## Dependency Security

Tolo is built with pure Go and minimal dependencies. We regularly update dependencies to address security issues. The project uses GitHub Dependabot for automated dependency updates.

## Security Features

- **No remote network calls** - Tolo runs entirely locally
- **File-based storage** - No database servers
- **Simple JSON format** - Easy to audit
- **No external dependencies** - Minimal attack surface
Initial release: Tolo v1.0.0 - Add core CLI functionality (save, run, update, delete, list, show, search) - Implement JSON-based storage in ~/.tolo/tolo.db.json - Add beautiful terminal UI with colors and icons - Support command shortcuts (s, r, u, d, ls, l, sh, se, h, v) - Add Bash and Zsh shell completion - Include comprehensive documentation (README, CONTRIBUTING, SECURITY) - Set up CI/CD workflows with GitHub Actions - Add installation script and Makefile for build automation - MIT License Made with ❤️ at Zemenawi Lab 2026-03-27 06:44:03 +03:00			`# Security Policy`

			`## Supported Versions`

			`Only the latest version of Tolo receives security updates and bug fixes. Users are strongly encouraged to keep Tolo updated to the latest version.`

			`## Reporting a Vulnerability`

			`If you discover a security vulnerability in Tolo, please report it responsibly.`

			`### How to Report`

			`1. Do not create a public issue`
			`2. Send an email to: [security@selamanapps.com](mailto:security@selamanapps.com)`
			`3. Include as much detail as possible:`
			`- Description of the vulnerability`
			`- Steps to reproduce`
			`- Potential impact`
			`- Suggested fix (if any)`

			`### What Happens Next?`

			`- You will receive an acknowledgment within 48 hours`
			`- We will investigate the vulnerability`
			`- We will work with you to develop a fix`
			`- Once fixed, we will coordinate the disclosure`

			`## Security Best Practices`

			`### File Permissions`

			Tolo stores aliases in `~/.tolo/tolo.db.json`. Ensure this file has appropriate permissions:

			```bash
			`chmod 600 ~/.tolo/tolo.db.json`
			```

			`### Sensitive Information`

			`- Avoid storing passwords or API keys directly in aliases`
			`- Use environment variables for sensitive data`
			`- Be careful with commands that contain credentials`

			`### Command Execution`

			`Tolo executes commands exactly as saved. Always verify aliases before running:`

			```bash
			`tolo show alias-name`
			```

			`## Dependency Security`

			`Tolo is built with pure Go and minimal dependencies. We regularly update dependencies to address security issues. The project uses GitHub Dependabot for automated dependency updates.`

			`## Security Features`

			`- No remote network calls - Tolo runs entirely locally`
			`- File-based storage - No database servers`
			`- Simple JSON format - Easy to audit`
			`- No external dependencies - Minimal attack surface`