SECURITY.md

# Security Policy

## Supported Versions

| Version | Supported |
|---|---|
| 1.0.x | yes |
| < 1.0 | no |

## Trust Model

Imhotep is a test framework. It runs with the privileges of the invoking test process.

Primary trust boundaries:

1. Node test process (full local process privileges)
2. Playwright browser context (page JavaScript execution)
3. CDP extraction channel (local browser debugging protocol)

## Execution Safety Posture

- No dynamic `eval`/`new Function` based execution for assertions.
- Assertions are compiled to structured representations (AST/IR/FOL), then evaluated.
- Runtime extraction diagnostics fail closed instead of silently passing unsupported cases.

## CDP Constraints

- CDP usage is intended for local Playwright sessions.
- Extraction is read-oriented (DOM/CSS/layout facts) with temporary correlation attributes removed after use.
- No built-in remote debugger dialing behavior is provided by framework defaults.

## User-Supplied Code Risks

The following run as trusted code and must be treated accordingly:

- custom renderer adapters
- custom predicates/evaluators
- fixture pages loaded in browser contexts

Do not run untrusted fixtures, renderers, or test helpers in privileged environments.

## Data Sensitivity

Imhotep outputs may include selectors, text labels, geometry, and diagnostics.

- Treat logs/artifacts as potentially sensitive in CI.
- Redact or avoid committing environment-specific secrets captured by test harness code.

## Vulnerability Reporting

Open a GitHub issue labeled `security` for non-sensitive reports.

If disclosure should be private first, include "PRIVATE SECURITY REPORT" in the issue title and avoid posting exploit details until maintainers respond.
v1.1.0: pooled runtime, 959 tests, production hardening (0 squash) 2025-08-15 10:00:00 -07:00			`# Security Policy`

			`## Supported Versions`

			`\| Version \| Supported \|`
			`\|---\|---\|`
			`\| 1.0.x \| yes \|`
			`\| < 1.0 \| no \|`

			`## Trust Model`

			`Imhotep is a test framework. It runs with the privileges of the invoking test process.`

			`Primary trust boundaries:`

			`1. Node test process (full local process privileges)`
			`2. Playwright browser context (page JavaScript execution)`
			`3. CDP extraction channel (local browser debugging protocol)`

			`## Execution Safety Posture`

			- No dynamic `eval`/`new Function` based execution for assertions.
			`- Assertions are compiled to structured representations (AST/IR/FOL), then evaluated.`
			`- Runtime extraction diagnostics fail closed instead of silently passing unsupported cases.`

			`## CDP Constraints`

			`- CDP usage is intended for local Playwright sessions.`
			`- Extraction is read-oriented (DOM/CSS/layout facts) with temporary correlation attributes removed after use.`
			`- No built-in remote debugger dialing behavior is provided by framework defaults.`

			`## User-Supplied Code Risks`

			`The following run as trusted code and must be treated accordingly:`

			`- custom renderer adapters`
			`- custom predicates/evaluators`
			`- fixture pages loaded in browser contexts`

			`Do not run untrusted fixtures, renderers, or test helpers in privileged environments.`

			`## Data Sensitivity`

			`Imhotep outputs may include selectors, text labels, geometry, and diagnostics.`

			`- Treat logs/artifacts as potentially sensitive in CI.`
			`- Redact or avoid committing environment-specific secrets captured by test harness code.`

			`## Vulnerability Reporting`

			Open a GitHub issue labeled `security` for non-sensitive reports.

			`If disclosure should be private first, include "PRIVATE SECURITY REPORT" in the issue title and avoid posting exploit details until maintainers respond.`