2.0 KiB
2.0 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Reporting a Vulnerability
If you discover a security vulnerability in TAKT, please report it responsibly.
How to Report
- Do NOT create a public GitHub issue for security vulnerabilities
- Send an email to the maintainer with:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (optional)
What to Expect
- Acknowledgment: Within 7 days of your report
- Status Update: Within 14 days with an initial assessment
- Resolution: Depending on severity, typically within 30-90 days
Disclosure Policy
- We follow responsible disclosure practices
- We will credit reporters in the security advisory (unless you prefer anonymity)
- Please allow us reasonable time to address the issue before public disclosure
Security Considerations
TAKT-Specific Security Notes
TAKT orchestrates AI agents that can execute code and access files. Users should be aware:
- Trusted Directories: TAKT requires explicit configuration of trusted directories in
~/.takt/config.yaml - Agent Permissions: Agents have access to tools like Bash, Edit, Write based on their configuration
- Piece Definitions: Only use piece files from trusted sources
- Session Logs: Session logs in
.takt/logs/may contain sensitive information
Best Practices
- Review piece YAML files before using them
- Keep TAKT updated to the latest version
- Limit trusted directories to necessary paths only
- Be cautious when using custom agents from untrusted sources
- Review agent prompts before execution
Dependencies
TAKT uses the @anthropic-ai/claude-agent-sdk and other npm packages. We recommend:
- Running
npm auditregularly - Keeping dependencies updated
- Reviewing Dependabot alerts if enabled
Contact
For security concerns, please reach out via the repository's security advisory feature or contact the maintainer directly.