imhotep/Imhotep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Imhotep/SECURITY.md
T
John Dvorak dd64e1e34a v1.1.0: repo polish, CI fixes, version alignment, dead artifact cleanup 
Root package: renamed to imhotep-monorepo, fixed broken scripts (test:unit/integration/e2e),
removed inappropriate root deps, fixed build order, updated clean script

CI: branch trigger main->master, npm ci->npm install, GitHub cache URL->Gitea

Docs: replaced scaffolded root README with real project README, added package READMEs
for imhotep/imhotep-playwright/imhotep-dsl/imhotep-core, added RELEASE.md checklist

Version: all 14 packages and root aligned to 1.1.0, CHANGELOG test count fixed (1125)

Metadata: 14 repository URLs github->gitea, 13 package descriptions added,
imhotep-cli exports field added, SECURITY.md updated for Gitea+disclosure email

Quality: noEmitOnError:true in 13 tsconfigs, collapsed duplicate interfaces in public.ts,
clippedBy test->test.skip, fixed broken dynamic import in imhotep index.test.ts,
694 generated src artifacts cleaned, V8 logs removed, .gitignore updated
2026-05-21 10:10:11 -07:00

1.7 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported
1.1.x yes
< 1.1 no

Trust Model

Imhotep is a test framework. It runs with the privileges of the invoking test process.

Primary trust boundaries:

  1. Node test process (full local process privileges)
  2. Playwright browser context (page JavaScript execution)
  3. CDP extraction channel (local browser debugging protocol)

Execution Safety Posture

  • No dynamic eval/new Function based execution for assertions.
  • Assertions are compiled to structured representations (AST/IR/FOL), then evaluated.
  • Runtime extraction diagnostics fail closed instead of silently passing unsupported cases.

CDP Constraints

  • CDP usage is intended for local Playwright sessions.
  • Extraction is read-oriented (DOM/CSS/layout facts) with temporary correlation attributes removed after use.
  • No built-in remote debugger dialing behavior is provided by framework defaults.

User-Supplied Code Risks

The following run as trusted code and must be treated accordingly:

  • custom renderer adapters
  • custom predicates/evaluators
  • fixture pages loaded in browser contexts

Do not run untrusted fixtures, renderers, or test helpers in privileged environments.

Data Sensitivity

Imhotep outputs may include selectors, text labels, geometry, and diagnostics.

  • Treat logs/artifacts as potentially sensitive in CI.
  • Redact or avoid committing environment-specific secrets captured by test harness code.

Vulnerability Reporting

To report a security vulnerability, open an issue on the Gitea repository labeled security.

For private disclosure, email security@imhotep.dev. Include the affected package, version, and a description of the issue. Maintainers will respond within 5 business days.

Reference in New Issue View Git Blame Copy Permalink