PartnerCore

# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 1.0.x | :white_check_mark: | ## Security Design ### API Key Protection - API keys are **never logged** at any log level - API keys are transmitted only over HTTPS - API keys are stored in environment variables, not in code or config files - API key is required for server operation ### File System Security - **Path Traversal Prevention**: All file operations are restricted to the configured workspace root - **Sandboxed Access**: The proxy cannot access files outside the workspace directory - **No Arbitrary Code Execution**: User input is never executed as code ### Network Security - All cloud communication uses **HTTPS/TLS** - The proxy only connects to: - `marketplace.visualstudio.com` (Microsoft VS Code Marketplace) - `partnercore-mcp-prod.agreeablebush-0fe29c4e.eastus.azurecontainerapps.io` (PartnerCore Cloud) - No arbitrary network connections are made ### Data Privacy - **No telemetry** is collected without explicit consent - Source code is processed locally by the AL Language Server - Only explicitly requested operations are sent to PartnerCore Cloud - PartnerCore Cloud does not store your source code ### Local Processing The following operations are processed **entirely locally**: - AL symbol navigation (definitions, references, hover) - Code completion - Diagnostics from AL compiler - File reading/writing within workspace - Git operations - BC Container operations ### Cloud Processing The following use PartnerCore Cloud: - AI-powered code review - Knowledge base search - Template retrieval - Pattern analysis ## Reporting a Vulnerability If you discover a security vulnerability, please report it responsibly: 1. **Do NOT** create a public GitHub issue 2. Email security concerns to: security@ciellos.com 3. Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Suggested fix (if any) We will acknowledge receipt within 48 hours and provide a detailed response within 7 days. ## Security Best Practices for Users 1. **Keep your API key secret** - Never commit API keys to version control - Use environment variables or secure secret management - Rotate keys if you suspect compromise 2. **Update regularly** - Keep partnercore updated to the latest version - Monitor release notes for security fixes 3. **Restrict workspace scope** - Only point the proxy at trusted AL workspaces - Don't run the proxy on untrusted code 4. **Network security** - Use the proxy in trusted network environments - Consider firewall rules to restrict outbound connections ## Audit Trail Security-relevant changes are documented in CHANGELOG.md with the [SECURITY] tag.