Skip to content

Security: TheBarmaEffect/Barx

Security

SECURITY.md

Security policy

Supported versions

Version Supported
1.0.x yes
0.1.0 (2025 legacy package) no — retired, different product

Reporting a vulnerability

Email golla.sat@northeastern.edu with details and reproduction steps. You should receive a response within 72 hours. Please do not open public issues for security reports until a fix is released.

Security model (what Barx does and does not promise)

  • Barx is local-first: no telemetry, no cloud, no hidden network calls. Studio binds 127.0.0.1 with a Host-header check and CSP.
  • Guard is not a sandbox. It observes/blocks documented seams only; do not rely on it to contain untrusted code.
  • Secrets are redacted in stored evidence and prompts/responses are hashed by default — but Barx evidence files inherit the permissions of your filesystem; protect .barx/ like any build artifact.
  • The GitHub PR-comment helper contacts the GitHub API only when explicitly given a token in a pull-request context.

See docs/CLAIMS.md for the full honesty contract.

There aren't any published security advisories