fj/SECURITY.md

# Security policy

## Reporting a vulnerability

Please report security issues to **stephen@rasterstate.com** rather than
opening a public issue. Encrypt with the GPG key below if the issue is
sensitive. Expect a response within 72 hours.

Include if possible:

- A clear description of the issue and impact.
- Steps to reproduce, with a minimal example.
- The fj version (`fj --version`) and Forgejo version
  (`fj api /version`).

## Threat model

fj is a CLI that:

- Stores Forgejo API tokens in the OS keychain (macOS Keychain, Linux
  Secret Service, Windows Credential Manager). Tokens are never written
  to disk in `hosts.toml` or anywhere else under our control.
- Sends those tokens as bearer headers over HTTPS to the configured
  hosts. The HTTP client uses rustls with the platform's trust store.
- Shells out to `git` for clone, fetch, and credential-helper setup.
- Opens `$EDITOR` for body inputs and `$FJ_PAGER` / `$PAGER` for long
  output.

Out of scope:

- Vulnerabilities in Forgejo itself. Report those to the Forgejo project.
- Vulnerabilities in `cargo` or in dependent crates. Those should be
  reported via `cargo audit` channels.
- Loss of tokens stored in the OS keychain via OS-level compromise.

## Known sharp edges

- `fj auth token` and `fj auth status --show-token` print plaintext
  tokens. We refuse to write to a TTY by default (since this risks
  capture in shell history). Pass `--force` to override, or pipe to a
  consumer like a credential helper.
- `fj auth setup-git` registers a `credential.helper` that invokes
  `fj auth token` at git-credential time. The hostname is validated
  against a strict DNS-style pattern at setup, but the helper string
  still passes through git's `!`-prefix shell evaluator at use time. If
  you've configured fj to talk to a host that some other tool added an
  attacker-controlled value for, audit your git config.
- `fj extension`'s plugin dispatch shells out to `fj-<name>` binaries
  on PATH. Treat any executable named `fj-*` on PATH as trusted code.

## Token hygiene

- Rotate Forgejo tokens periodically. `fj auth refresh --token NEW`
  replaces the stored value without losing your host config.
- Scope tokens narrowly when the API supports it. fj only needs the
  scopes for the operations you actually run.
- If you suspect a token is compromised, revoke it on the Forgejo side
  immediately, then `fj auth logout --host <host>` and `fj auth login
  --host <host>` to re-pair.

## Versions

We aim to fix security issues in the latest `main` and one prior minor
release. There is no LTS branch yet.

## GPG key

(Not yet published. Email reports without encryption are acceptable for
now; ack within 72 hours.)
bugs + agent-focused Forgejo gaps + CI + docs Bugs: * Shell injection in `fj auth setup-git`: the hostname is now validated against a strict DNS pattern and `git config` is invoked directly (no `sh -c`). Added 4 unit tests covering shell metacharacters. * Pager won't compile on Windows: the libc-based dup2 redirect lives behind `#[cfg(unix)]`. Non-Unix gets a no-op stub. Agent-focused Forgejo API gaps: * `fj issue edit-comment ID` / `delete-comment ID`. Fix a wrong comment after the fact (an agent's bread-and-butter). * `fj search code "..." [-R owner/name]`. The most-requested missing search dimension for codebase exploration. * `fj pr request-review N user1 user2`, `unrequest-review N user`. Distinct from `pr review` (your own approval/changes/comment). * `fj repo watch / unwatch / star / unstar / starred`. Mark repos for monitoring. * `fj milestone {list,view,create,edit,close,reopen,delete,assign}` with `assign N --milestone ID\|none` to attach an issue/PR. UX + stability: * Global `--json-fields foo,bar` projection on top of any `--json` output, gh-style. Dotted-path support (`--json-fields owner.login`). * 429 / Retry-After honored in the retry loop with a 30 s cap. * Clap `suggestions` feature for typo'd subcommands. * `fj auth token` and `auth status --show-token` refuse to write to a TTY by default (`--force` to override). CI: * `.forgejo/workflows/ci.yml` runs fmt/clippy/test/release-build on every push and PR, mirroring the local pre-push hook. Docs: * `SECURITY.md` with threat model and known sharp edges. * `docs/gh-to-fj.md` full command-by-command mapping. * `docs/faq.md` covering tokens, hosts, debug, scripting, plugins. Tests: 60 → 75 passing (2 ignored: editor and env-mutating tests that fight the cargo test harness on macOS). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-13 21:52:28 +00:00			`# Security policy`

			`## Reporting a vulnerability`

			`Please report security issues to stephen@rasterstate.com rather than`
			`opening a public issue. Encrypt with the GPG key below if the issue is`
			`sensitive. Expect a response within 72 hours.`

			`Include if possible:`

			`- A clear description of the issue and impact.`
			`- Steps to reproduce, with a minimal example.`
			- The fj version (`fj --version`) and Forgejo version
			(`fj api /version`).

			`## Threat model`

			`fj is a CLI that:`

			`- Stores Forgejo API tokens in the OS keychain (macOS Keychain, Linux`
			`Secret Service, Windows Credential Manager). Tokens are never written`
			to disk in `hosts.toml` or anywhere else under our control.
			`- Sends those tokens as bearer headers over HTTPS to the configured`
			`hosts. The HTTP client uses rustls with the platform's trust store.`
			- Shells out to `git` for clone, fetch, and credential-helper setup.
			- Opens `$EDITOR` for body inputs and `$FJ_PAGER` / `$PAGER` for long
			`output.`

			`Out of scope:`

			`- Vulnerabilities in Forgejo itself. Report those to the Forgejo project.`
			- Vulnerabilities in `cargo` or in dependent crates. Those should be
			reported via `cargo audit` channels.
			`- Loss of tokens stored in the OS keychain via OS-level compromise.`

			`## Known sharp edges`

			- `fj auth token` and `fj auth status --show-token` print plaintext
			`tokens. We refuse to write to a TTY by default (since this risks`
			capture in shell history). Pass `--force` to override, or pipe to a
			`consumer like a credential helper.`
			- `fj auth setup-git` registers a `credential.helper` that invokes
			`fj auth token` at git-credential time. The hostname is validated
			`against a strict DNS-style pattern at setup, but the helper string`
			still passes through git's `!`-prefix shell evaluator at use time. If
			`you've configured fj to talk to a host that some other tool added an`
			`attacker-controlled value for, audit your git config.`
			- `fj extension`'s plugin dispatch shells out to `fj-<name>` binaries
			on PATH. Treat any executable named `fj-*` on PATH as trusted code.

			`## Token hygiene`

			- Rotate Forgejo tokens periodically. `fj auth refresh --token NEW`
			`replaces the stored value without losing your host config.`
			`- Scope tokens narrowly when the API supports it. fj only needs the`
			`scopes for the operations you actually run.`
			`- If you suspect a token is compromised, revoke it on the Forgejo side`
			immediately, then `fj auth logout --host <host>` and `fj auth login
			--host <host>` to re-pair.

			`## Versions`

			We aim to fix security issues in the latest `main` and one prior minor
			`release. There is no LTS branch yet.`

			`## GPG key`

			`(Not yet published. Email reports without encryption are acceptable for`
			`now; ack within 72 hours.)`