Preferred: Use GitHub Security Advisories to report vulnerabilities privately.

Alternative: Email security concerns to the repository owner via GitHub profile.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

cc-lens is a localhost-only dashboard that reads Claude Code session data from ~/.claude/. The security model relies on:

1. TCP binding to 127.0.0.1 (primary boundary)
2. Middleware two-layer Host header check (defense-in-depth)
3. Input validation on all API parameters (isValidSlug, path traversal guards)

• Path traversal in API routes or readers (slug, session ID, file paths)
• XSS via session data rendered in the dashboard
• Cache corruption or poisoning
• Information disclosure beyond ~/.claude/ directory
• Bypass of localhost-only restriction
• Denial of service via malformed JSONL input

• Physical access to the machine (localhost tool assumes trusted local user)
• Social engineering
• Issues requiring non-default CC_LENS_HOST configuration (user explicitly opted in)
• Vulnerabilities in upstream dependencies with no cc-lens-specific exploit path

Responsible reporters will be credited in the release notes unless they prefer to remain anonymous.

For a detailed threat model covering attack surfaces, trust boundaries, and mitigations, see docs/threat-model.md.