Archora

English

Русский

English

Русский

Appearance

Security policy

Supported versions

Archora is pre-1.0; only main receives fixes. After 1.0, we'll support the current minor and one prior minor for twelve months.

Reporting

Email security@archora.io. Don't open public issues for security problems. Include repro steps, affected version, and any PoC or logs.

We acknowledge within 48 hours and aim to ship a fix or documented mitigation within 14 days for confirmed high-severity reports.

A PGP key will be published alongside the 1.0 website.

Scope

In scope: the desktop app, @archora/core, @archora/cli, the analyzer parsers, and Rust IPC commands in src-tauri/src/commands.rs.

Out of scope: issues in the frameworks we analyze (Vue, React, Nuxt, etc. — report upstream), DoS from pathological input projects (we bound file size and apply discover filters, but crafted adversarial inputs are a known limitation), and dev-dependency vulnerabilities that don't reach production bundles (see below).

Dependencies

CI runs npm audit --omit=dev; production vulnerabilities block the release. Current state: 0 in production, a handful of moderate issues in the dev chain (vite@5esbuild) that affect only the dev server and tests. Fixing those requires vite@8 — planned as a separate breaking upgrade.

Rust crates go through cargo audit in the release workflow; any Critical advisory blocks the release.

Design

  • Local-first by default. The desktop app makes no network requests during a scan. Only the license check and opt-in AI calls are outbound; both are enumerated in the desktop CSP.
  • Filesystem access is scoped to the picked root. read_file and file_exists reject absolute paths and .., canonicalize both the root and the target, and refuse anything that escapes. Covered by cargo test in src-tauri/.
  • read_file caps input size at 2 MiB by default, 16 MiB hard max.
  • No subprocesses. No shell interpolation of user input.
  • AI API keys (when that ships) live in the OS keyring via tauri-plugin-stronghold, never in localStorage or plain files.
  • Desktop WebView runs with a CSP that blocks connect-src outside an explicit allow-list.

Roadmap

Signed macOS/Windows/Linux builds, Playwright network-isolation smoke on built artifacts, SAML SSO for Team/Enterprise, optional audit log.