Security policy¶
OntoIndex and OntoCode are local-first tools: they index and parse files on disk and do not upload ontology content by default.
Supported versions¶
| Version | Supported |
|---|---|
| 0.8.x | Yes |
| 0.7.x | Best effort |
| 0.6.x | No |
| 0.5.x | No |
| 0.4.x | No |
| 0.3.x | No |
| < 0.3 | No |
Full policy: SECURITY.md on GitHub
Threat model summary¶
ontoindex-lsphas no authentication. Treat it like any local dev server — do not expose it to the internet or untrusted networks.- Workspace path jail: The language server operates on the opened workspace folder. Custom
document_urivalues in patch requests must resolve within the workspace. - Resource limits: File count, size, entity, and triple caps reduce DoS risk when opening untrusted repositories — see workspace-limits.md.
- VS Code Restricted Mode:
ontocode.lspPathis ignored in untrusted workspaces; the bundled server is used instead.
Reporting vulnerabilities¶
Report via GitHub Security Advisories — not public GitHub issues.
The canonical policy (supported versions, scope, hardening table) is maintained in the repository:
Quick hardening checklist¶
| Control | Recommendation |
|---|---|
| LSP exposure | Local stdio only; never port-forward ontoindex-lsp |
| Custom LSP binary | Set ontocode.lspPath only in trusted workspaces |
| Release artifacts | Verify SHA256SUMS from official GitHub Releases — release-integrity.md |
| CI validation | Use ontoindex validate to gate merges — ci-integration.md |
| Dependency audit | cargo audit runs in project CI |
Enterprise evaluation¶
Procurement-oriented summary: enterprise evaluation guide · production readiness · LGPL compliance
Related¶
- FAQ — security and LGPL
- Errors reference
- LICENSES.md — third-party licenses including LGPL (
horned-owl)