If you discover a security vulnerability in ralphglasses, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email security@hairglasses-studio.dev with:
- A description of the vulnerability
- Steps to reproduce (if applicable)
- The potential impact
- Any suggested fixes
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix or mitigation: Depends on severity, typically within 2 weeks for critical issues
This policy applies to the ralphglasses Go binary, MCP server, and all packages within the repository. Security issues in dependencies should be reported to the respective upstream projects.
| Version | Supported |
|---|---|
| v0.1.x | Yes |
ralphglasses manages LLM provider API keys and spawns child processes:
- API keys are loaded from
.envfiles and environment variables, never hardcoded or logged - Child processes (Claude, Gemini, Codex CLIs) run with process group isolation and signal management
- MCP server uses stdio transport by default (no network exposure)
- Cost tracking data is stored locally in
.ralph/directories