Security · Changelog

Trust starts with local proof.

SeamShield Community runs locally, writes local evidence, and does not upload source code. This page records the security model, reporting path, and public product changelog.

No source upload by defaultOpen-source scannerOrg-scoped packageSigned updates planned

Security model

SeamShield Community is a local scanner and control engine. It inspects repo files on the machine where it is run, produces access-lane findings, and writes investigations under `.seamshield/`.

Default commitments

  • Community scanning does not upload source code or findings.
  • `ship`, `access`, `privacy`, `doctor`, `guard`, and `init` are designed for local/offline operation.
  • Network-backed dependency intelligence is explicit and source-private.
  • Secrets are redacted before reports, JSON, SARIF, investigations, and fix plans are emitted.
  • No automatic untrusted rule updates are installed by Community.

Scope

SeamShield reports access-lane risk. It does not claim that an entire app is secure or vulnerability-free. A clean ship verdict means no block or high unsafe-to-ship access lanes were found by the controls that ran.

Report a vulnerability

If you find a vulnerability in the CLI, rule engine, npm package, website, or release process, send a concise report with reproduction steps, affected versions, expected impact, and whether source or secrets could be exposed.

  • Do not include third-party secrets, customer source code, or personal data in a report.
  • Prefer minimal repro fixtures and redacted logs.
  • For suspected package compromise, include the package version, tarball URL, shasum, and install command used.

Package provenance

The public package is `@seamshield/cli` on npm. Do not install the old personal-scope `seamshield` package.

  • Use `npx @seamshield/cli ship . --offline` for the local deploy verdict.
  • Use `npm view @seamshield/cli version dist.tarball integrity` to inspect registry metadata.
  • Future release work will add stronger checksum and signed provenance guidance.

Changelog

2026-06-20 · 0.3.10

Investigation markdown and publish metadata

  • Added remediation checklists, false-positive triage prompts, and copy-paste commands to local investigation reports.
  • Fixed npm package bin metadata so publish no longer auto-corrects `bin.seamshield`.
2026-06-20 · 0.3.9

Targeted agent context generation

  • Added `seamshield init . --agents codex,cursor` for selected Community agent instruction files.
  • Kept Pro and Enterprise functionality out of the Community CLI.
2026-06-20 · 0.3.8

Community doctor

  • Added `seamshield doctor` for local health checks across package scope, config, offline defaults, guard, CI, agent context, and rule artifacts.

Security contact

Security contact details will be published with the hosted platform. Until then, use the project repository issue path for non-sensitive reports and keep sensitive material out of public issues.