Barazo lexicon schemas and TypeScript types barazo.forum
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

docs(security): add repo-specific security scope and practices (#7)

Replaces generic boilerplate with lexicon-specific security guidance
covering schema validation bypass, type generation flaws, npm supply
chain attacks, and AT Protocol namespace compliance.

authored by

Guido X Jansen and committed by
GitHub
0c1dedf9 764b4ee2

+23 -4
+23 -4
.github/SECURITY.md
··· 18 18 3. Click "Report a vulnerability" 19 19 4. Fill in the details 20 20 21 - Or email: security@barazo.forum (TBD - will be set up in Phase 2) 21 + Or email: security@barazo.forum 22 22 23 23 We will respond within 72 hours with next steps. 24 24 25 + ## Security Scope for This Repo 26 + 27 + barazo-lexicons defines AT Protocol lexicon schemas and generates TypeScript types. The following areas are in scope for security reports: 28 + 29 + ### Schema Validation 30 + - **Schema bypass** -- crafted AT Protocol records that pass lexicon validation but contain malicious or unexpected data 31 + - **Type generation flaws** -- generated TypeScript types that are more permissive than the lexicon schema allows, enabling invalid data to pass type checks 32 + - **Missing constraints** -- fields that should have length limits, pattern restrictions, or enum constraints but don't 33 + 34 + ### Supply Chain 35 + - **npm package tampering** -- the published `@barazo-forum/lexicons` package containing code or types not present in the source repo 36 + - **Build script injection** -- malicious code in the type generation pipeline that could execute during `npm install` or build 37 + - **Dependency confusion** -- packages with similar names that could be installed instead of the legitimate package 38 + 39 + ### AT Protocol Compliance 40 + - **Namespace violations** -- schemas using namespaces outside `forum.barazo.*` that could conflict with other AT Protocol applications 41 + - **Record size abuse** -- schemas that permit records large enough to cause storage or processing issues in downstream consumers (AppView, PDS) 42 + 25 43 ## Security Practices 26 44 27 - - All commits must be GPG signed 45 + - Lexicon schemas follow the AT Protocol specification 46 + - Generated TypeScript types use strict mode (no `any`) 47 + - Published package contains only schemas and generated types (no runtime code with side effects) 28 48 - Dependencies updated weekly via Dependabot 29 - - CI runs security scans on every PR 30 - - OWASP Top 10 compliance verified 49 + - CodeQL security scanning on every PR 31 50 32 51 ## Disclosure Policy 33 52