Eyrie-Templates/SECURITY.md

# Security Policy (Draft)

## Supported versions

- Until first stable release, only the latest minor/patch is supported.
- Post‑1.0: last two minor versions receive security fixes.

## Reporting a vulnerability

- Please email security reports to: security@your-domain.example (replace with your contact)
- Provide a minimal reproduction, affected version, environment details, and impact if possible.
- We aim to acknowledge within 3 business days and provide a timeline after triage.

## Disclosure process

1. Private triage and fix development.
2. Coordinated disclosure with reporter; optional CVE request if applicable.
3. Security release notes summarizing impact, severity, and upgrade guidance.

## Secure development guidelines

- Auto‑escape by default; minimize usage of `safe` and review all instances.
- No dynamic eval; no template‑driven file/network access.
- Validate and normalize template names; prohibit `..` traversal and absolute paths unless namespaced.
- Keep clear separation: helpers/filters are whitelisted and reviewed.
- Enforce depth/iteration/time and size limits with safe defaults.
- Prefer exceptions with sanitized messages over warnings or silent failures.
- Components:
  - Register components explicitly; unregistered components must not be invokable.
  - Treat component props as untrusted input; validate types and ranges before use.
  - Components must not perform filesystem/network access by default and must not mutate outer template context.
  - Cap component recursion/nesting depth to avoid DoS.

## Secrets and sensitive data

- Do not pass secrets (tokens, passwords) through template contexts unless absolutely necessary; prefer redacted representations.
- Ensure logs and error messages do not include raw context values in production.

## Dependencies and updates

- Target PHP 8.1+ (finalize at release); use supported versions only.
- Pin constraints to secure versions; audit dependencies regularly (e.g., `composer audit`).
- Security fixes are backported per Supported versions policy.

## Hardening recommendations for deployers

- Place cache directory outside web root with perms `0700`.
- Run PHP under least‑privilege account; restrict template directories to read‑only for the runtime.
- Disable display of errors in production; enable structured logging.
-												Initial commit

											
										
										
											2026-01-06 23:29:10 +00:00
+								# Security Policy (Draft)
 								## Supported versions
 								- Until first stable release, only the latest minor/patch is supported.
 								- Post‑1.0: last two minor versions receive security fixes.
 								## Reporting a vulnerability
 								- Please email security reports to: security@your-domain.example (replace with your contact)
 								- Provide a minimal reproduction, affected version, environment details, and impact if possible.
 								- We aim to acknowledge within 3 business days and provide a timeline after triage.
 								## Disclosure process
 . Private triage and fix development.
 . Coordinated disclosure with reporter; optional CVE request if applicable.
 . Security release notes summarizing impact, severity, and upgrade guidance.
 								## Secure development guidelines
 								- Auto‑escape by default; minimize usage of `safe` and review all instances.
 								- No dynamic eval; no template‑driven file/network access.
 								- Validate and normalize template names; prohibit `..` traversal and absolute paths unless namespaced.
 								- Keep clear separation: helpers/filters are whitelisted and reviewed.
 								- Enforce depth/iteration/time and size limits with safe defaults.
 								- Prefer exceptions with sanitized messages over warnings or silent failures.
 								- Components:
 								  - Register components explicitly; unregistered components must not be invokable.
 								  - Treat component props as untrusted input; validate types and ranges before use.
 								  - Components must not perform filesystem/network access by default and must not mutate outer template context.
 								  - Cap component recursion/nesting depth to avoid DoS.
 								## Secrets and sensitive data
 								- Do not pass secrets (tokens, passwords) through template contexts unless absolutely necessary; prefer redacted representations.
 								- Ensure logs and error messages do not include raw context values in production.
 								## Dependencies and updates
 								- Target PHP 8.1+ (finalize at release); use supported versions only.
 								- Pin constraints to secure versions; audit dependencies regularly (e.g., `composer audit`).
 								- Security fixes are backported per Supported versions policy.
 								## Hardening recommendations for deployers
 								- Place cache directory outside web root with perms `0700`.
 								- Run PHP under least‑privilege account; restrict template directories to read‑only for the runtime.
 								- Disable display of errors in production; enable structured logging.