CE-Harness takes security seriously. As a harness for LLM agents, it deals with sensitive contexts, secrets, and PII. This document describes how to report security vulnerabilities.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please use one of the following channels (in order of preference):
- GitHub Security Advisories: https://github.com/doz34/context-engineering-harness/security/advisories/new
- Email: doz34@users.noreply.github.com (PGP key below if you need confidentiality)
- Direct message to @doz34 on GitHub
Please include:
- Description of the vulnerability
- Steps to reproduce (minimal PoC if possible)
- Impact assessment (what an attacker could do)
- Affected versions (which versions are vulnerable)
We aim to:
| Stage | Target time |
|---|---|
| Initial response (acknowledge receipt) | 48 hours |
| Triage (confirm + classify severity) | 7 days |
| Patch (for HIGH/CRIT) | 30 days |
| Patch (for MED/LOW) | 90 days |
| Public disclosure (after patch) | 7-14 days post-patch |
We may take longer for complex issues, but we'll keep you updated.
| Version | Supported |
|---|---|
| 1.0.x (current) | β Yes |
| < 1.0 | β No |
We strongly recommend always running the latest patch release.
We thank the following security researchers for responsible disclosure (in chronological order):
No reports yet β be the first!
CE-Harness is designed with defense in depth. Here are the built-in security features:
- AES-256-GCM at rest (
lib/security.py:EncryptedDB) for state.db - RotatingHMAC (
lib/security.py:RotatingHMAC) for audit chain (forward secrecy per 24h epoch) - PBKDF2-HMAC-SHA256 key derivation (200,000 iterations)
- Per-tenant key encryption (
lib/s3_residual.py:TenantKeyStore)
- AST-based code sandbox (
lib/code_api.py:CodeAPISandbox) with 3 layers:- AST whitelist (allowed node types)
- Name blacklist (25+ dangerous functions/attributes)
- Builtin whitelist (54 safe builtins, dangerous stripped)
- 11 PII patterns (
lib/pii_tokenizer.py) detected and tokenized - HMAC-SHA256 tokenization (one-way, deterministic per session)
- Originals never reach the LLM context
- Subagent firewall (
lib/subagent_firewall.py) with strict return contract - Subagent validator (
lib/subagent_validator.py) with 7 anti-smuggling patterns - MCP trust store (
lib/mcp_trust.py) with HMAC signing and SHA-256 pinning - CI/CD pinning (
lib/ci_cd_pinning.py) β refuses mutable tags like:latest - Container image pinning (
lib/image_pin.py) β SHA-256 digest required - Secrets vault (
lib/secrets_vault.py) with per-principal ACL
- RotatingHMAC audit chain for tamper-evident logging
- GDPR Art. 17 compliance (
lib/archive_anonymizer.py) β right to erasure - CAB approver immutability (
lib/s3_residual.py:CABRegistry) - EOL decision HMAC (
lib/s3_residual.py:EOLRegistry)
- 94+ adversarial tests covering prompt injection, sandbox escape, PII exfiltration, MCP poisoning, state tampering, hook bypass
- 50+ attack payload corpus (
lib/adversarial_corpus.py) β known attacks - 4 property-based tests for invariants
Past advisories are listed in CHANGELOG.md under "Security" sections.
No advisories published yet.
When using CE-Harness in production:
- Always run the latest patch version:
pip install --upgrade ctxh - Rotate master keys regularly: see
lib/security.py:RotatingHMAC - Enable MCP trust store: validate all MCP servers before use
- Pin container images to SHA-256 digests: never use mutable tags (
:latest) - Store secrets in the vault, not env vars:
lib/secrets_vault.py - Monitor audit chain: set up alerts on broken HMAC chains
- Use per-tenant keys: don't share encryption keys across tenants
- Archive old state with GDPR anonymization:
lib/archive_anonymizer.py - Run adversarial tests in CI: include
adversarial_*.pyin your test suite
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EXTERNAL INTERFACES β
β CLI / Python API / YAML / Hooks SDK / MCP β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β
ββββββββββββββΌββββββββββββββ
β ENFORCEMENT LAYER β
β ββββββββ ββββββββ ββββββββ
β βPreToolβ βPostToolβ βHooksββ β AST sandbox, PII tokenizer, clear
β ββββββββ ββββββββ ββββββββ
ββββββββββββββ¬ββββββββββββββ
β
ββββββββββββββΌββββββββββββββ
β 5-LAYER CONTEXT MODEL β
β L0 β L1 β L2 β L3 β L4 β β 4-pillars, head/tail, no flood
ββββββββββββββ¬ββββββββββββββ
β
ββββββββββββββΌββββββββββββββ
β STATE & STORAGE LAYER β
β ββββββββ ββββββββ ββββββββ
β βSQLiteβ βVault β βMemoryββ β Encrypted at rest, per-tenant keys
β ββββββββ ββββββββ ββββββββ
ββββββββββββββ¬ββββββββββββββ
β
ββββββββββββββΌββββββββββββββ
β AUDIT LAYER β
β RotatingHMAC chain β β Forward secrecy, tamper-evident
β CAB registry β β Immutability
β EOL registry β β HMAC-signed decisions
ββββββββββββββββββββββββββββββ
- README.md β Overview
- CONTRIBUTING.md β How to contribute
- CHANGELOG.md β Version history
- audit/ β 8 audit reports
- docs/SECURITY-BEST-PRACTICES.md β Detailed security guide