Tailshell is a self-hosted web terminal: it gives authenticated users an interactive shell on the host (via ttyd + tmux), persists user state in MySQL, and is reverse-proxied by nginx. This document records the disclosure process and the threat model.

For the operational hardening checklist that production deployments are expected to follow (HTTPS via Tailscale Serve, cookie flags, CORS posture, secret handling, rate-limit tuning), see docs/SECURITY.md.

Do not file a public GitHub issue or pull request for security problems. Instead:

• Email the security contact at security@visorcraft.com.
• Include reproduction steps, the Tailshell git commit (git rev-parse HEAD), the deployment topology (single-user vs. multi-user, Tailscale Serve vs. direct, MFA on/off), and any relevant nginx / API logs with secrets redacted.
• We aim to acknowledge within 72 hours and to publish a patch + advisory within two weeks of confirming a fix.

Please give us a 30-day coordinated-disclosure window before going public, unless the vulnerability is already actively exploited.

The latest master branch is supported with security fixes. Older tagged releases receive fixes only when the patch is trivial to backport. Always run with the latest API + UI + nginx images pulled together — running mismatched versions across the three layers is unsupported.

Tailshell ships zero telemetry. No analytics, no crash reports, no ping-home behavior. The only outbound traffic Tailshell originates on its own is:

• Container image pulls during docker compose up (from your configured registry).
• Tailscale Serve / Tailscale Funnel traffic, when the operator wires it up.

The application itself does not phone home. Operator-side observability (audit logs, structured logs, Prometheus metrics) is local-only by default and lives under the host's filesystem.

• JWTs are issued with short-lived access tokens (~15 minutes) and rotating refresh tokens (~7 days), each revocable server-side.
• Cookies are HttpOnly with SameSite=Strict. Production deployments must set TAILSHELL_COOKIE_SECURE=true so cookies are also marked Secure.
• CSRF protection is enforced on mutating routes when cookie auth is used. The UI sends X-CSRF-Token; the API rejects mutations that don't carry it.
• Passwords are hashed with bcrypt at cost factor 12 and validated against the strong password policy.
• Login attempts are rate-limited (default: 5 attempts per 15 minutes, per IP + per username).
• Admins can enable TOTP-based MFA (and should). MFA is enforced per role.
• Roles: admin, user, editor, readonly, auditor. Endpoint access is enforced per role; routes that mutate global state are admin-only.

• ttyd runs as an unprivileged user-level systemd service. The wrapper refuses to start as root unless TAILSHELL_ALLOW_ROOT_TTYD=true is set explicitly.
• Terminal access is gated by role and by an additional terminal_token cookie that scopes WebSocket connections to a single authenticated session.
• tmux sessions are namespaced per user so workspace isolation does not depend on shell discipline.
• The reverse proxy refuses upgrade requests without a valid terminal_token.

• MySQL is reached over the internal Docker network only; docker-compose.yml binds the port to 127.0.0.1.
• Database access goes through Knex with parameterized queries.
• Audit log entries (auth events + CRUD on workspaces, prompts, invitations, password resets) are written into the audit table with the actor, action, target, source IP, and timestamp.
• Refresh-token rotation, MFA challenges, and password-reset tokens are stored hashed; the plaintext is never persisted.

• .env is in .gitignore. The .env.example file lists every variable Tailshell reads.
• Production deployments should prefer Docker secrets or an external secret manager over .env files. The API and MySQL containers support *_FILE variants for sensitive values (JWT_SECRET_FILE, MYSQL_PASSWORD_FILE, etc.).
• TLS certificates live under nginx/certs/ and are mounted read-only into the nginx container.

Tailshell does not sandbox the shells it spawns. A user with a terminal session can run any command their Unix account is allowed to run, including outbound network traffic. This is intentional — the whole point of the product is to be a real shell — but operators should configure their host's outbound firewall, Tailscale ACLs, or egress proxy according to their threat model.

CORS is disabled by default. The expected production layout is same-origin: the UI and API are served from the same hostname (via nginx) so no preflight requests are needed.

If you intentionally serve the UI from a separate origin, set CORS_ORIGIN to an exact allowlist (never *). Credentialed CORS requires CORS_CREDENTIALS=true and a non-wildcard origin.

• npm audit is run during CI on every push.
• Dependabot opens weekly PRs for transitive and direct npm updates; please review and merge them once CI is green.
• Container base images (node, nginx, mysql) are pinned by tag in the compose files; bump them in a dedicated PR so the change is easy to revert.