If you discover a security vulnerability, please report it privately via GitHub Security Advisories.

Do not open a public issue for security vulnerabilities.

• Command injection via session names, file paths, or commit messages
• Path traversal in worktree or manifest operations
• Manifest corruption leading to data loss
• Unintended code execution via hooks
• Git state corruption from concurrent operations

• Issues requiring physical access to the machine
• Social engineering attacks
• Denial of service via large repositories
• Bugs in git itself
• Issues in the gh CLI

git-stint follows these security principles:

• All git commands use execFileSync with array arguments (never execSync with string interpolation)
• The gh CLI is called via execFileSync with explicit argument arrays
• Test commands use execFileSync("sh", ["-c", cmd]) — the command string comes from the user, not from untrusted input

• Session names are validated against ^[a-zA-Z0-9][a-zA-Z0-9._-]*$
• Path traversal (..) is explicitly rejected
• Shell metacharacters (;, |, &, etc.) are rejected in session names

• Manifest writes use atomic temp-file-then-rename pattern
• Cleanup operations delete manifest last (enables prune recovery)
• Branch and worktree creation has rollback on failure

• Security tests scan source code to verify execFileSync usage
• Name validation tests cover injection attempts
• These tests run in CI on every push