amancca/tolo
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
tolo/SECURITY.md
selamanapps 40a80a6c9b Initial release: Tolo v1.0.0 
- Add core CLI functionality (save, run, update, delete, list, show, search)
- Implement JSON-based storage in ~/.tolo/tolo.db.json
- Add beautiful terminal UI with colors and icons
- Support command shortcuts (s, r, u, d, ls, l, sh, se, h, v)
- Add Bash and Zsh shell completion
- Include comprehensive documentation (README, CONTRIBUTING, SECURITY)
- Set up CI/CD workflows with GitHub Actions
- Add installation script and Makefile for build automation
- MIT License

Made with ❤️ at Zemenawi Lab
2026-03-27 06:44:03 +03:00

61 lines
1.7 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
Only the latest version of Tolo receives security updates and bug fixes. Users are strongly encouraged to keep Tolo updated to the latest version.
## Reporting a Vulnerability
If you discover a security vulnerability in Tolo, please report it responsibly.
### How to Report
1. **Do not** create a public issue
2. Send an email to: [security@selamanapps.com](mailto:security@selamanapps.com)
3. Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
### What Happens Next?
- You will receive an acknowledgment within 48 hours
- We will investigate the vulnerability
- We will work with you to develop a fix
- Once fixed, we will coordinate the disclosure
## Security Best Practices
### File Permissions
Tolo stores aliases in `~/.tolo/tolo.db.json`. Ensure this file has appropriate permissions:
```bash
chmod 600 ~/.tolo/tolo.db.json
```
### Sensitive Information
- Avoid storing passwords or API keys directly in aliases
- Use environment variables for sensitive data
- Be careful with commands that contain credentials
### Command Execution
Tolo executes commands exactly as saved. Always verify aliases before running:
```bash
tolo show alias-name
```
## Dependency Security
Tolo is built with pure Go and minimal dependencies. We regularly update dependencies to address security issues. The project uses GitHub Dependabot for automated dependency updates.
## Security Features
- **No remote network calls** - Tolo runs entirely locally
- **File-based storage** - No database servers
- **Simple JSON format** - Easy to audit
- **No external dependencies** - Minimal attack surface
Reference in a new issue View git blame Copy permalink