Security#
If you believe you found a security vulnerability in CapaKit, please report it privately.
Do not open a public GitHub issue for vulnerabilities, suspected sandbox escapes, secret exposure, package integrity issues, or unauthorized Workload access.
For CapaKit's runtime isolation, trust boundaries, and secret-handling model, see the Security Model.
Report a Vulnerability#
Email: security@capakit.com
Please include:
- affected CapaKit CLI version
- macOS version and CPU architecture
- short impact summary
- minimal reproduction steps
- relevant logs with secrets removed
- whether the issue involves Kit secrets, Vault secrets, Workload isolation, Endpoint exposure, Registry integrity, Relay behavior, package integrity, or unauthorized Workload access
Do not send real API keys, production tokens, private customer data, or private Kit source unless we explicitly ask for it.
Supported Versions#
During public alpha, only the latest published CapaKit CLI version is supported for security fixes.
Before reporting, please update to the latest CLI version when possible:
capakit --version
Release Authenticity#
CapaKit macOS releases are Apple Developer ID-signed and notarized. The shell installer verifies the downloaded
capakit binary's CapaKit Developer ID signature before installing it.
Install only from:
- https://capakit.com/install.sh
brew install capakit/tap/capakit- https://github.com/capakit/cli/releases
Release archives include checksums in SHA256SUMS.
What To Report Privately#
Report security-sensitive issues privately when they involve:
- access to undeclared files, mounts, secrets, or environment data
- Workload sandbox escape
- bypassing Workload-to-Workload connection policy
- unauthorized access to Kit secrets or Vault secrets
- unintended Endpoint exposure or public path access
- Registry metadata, package, installer, or update integrity issues
- Relay behavior that exposes provider secrets or bypasses declared trust boundaries
- sensitive data appearing in logs or generated files
- cross-Kit or cross-Workload isolation failures
Non-Security Bugs#
For regular bugs, installer problems, docs issues, or confusing behavior, open a public issue: