Goalpower is a young project. We currently security-fix:
| Version | Supported |
|---|---|
| 1.2.x | ✅ |
| < 1.2 | ❌ |
Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, email the maintainer at: info@contentplanning.ai.
Please include:
- Description of the issue and its potential impact
- Affected versions
- Reproduction steps (minimal if possible)
- Suggested fix if you have one
- Whether you'd like credit in the disclosure
We will acknowledge receipt within 48 hours and aim to ship a fix within 14 days for high-severity issues.
We follow coordinated disclosure:
- Reporter reports privately
- Maintainer acknowledges + triages
- Fix is developed privately
- Fix is released
- Public advisory is published alongside the release
In scope:
- Anything in
src/that handles untrusted input - State-file corruption vectors
- Path traversal in state directory handling
- Hook execution vulnerabilities
Out of scope:
- Vulnerabilities in OpenCode itself (report to the OpenCode maintainers)
- Vulnerabilities in dependencies (report upstream)
- Theoretical issues without a reproduction
Goalpower follows these security-conscious defaults:
- File permissions: State files are written with mode
0o600. Parent directories0o700. - Atomic writes: All state writes go through a
tmp → renamepattern. Crashes mid-write leave the previous state intact. - No network: The plugin makes zero outbound network calls. All state is local to
~/.config/opencode/state/goalpower/. - No eval: The plugin never
evals user input or LLM output. Verdict JSON is parsed withJSON.parseand treated as untrusted data. - Objective escapes: User-provided objective text is XML-escaped (
&,<,>) before being injected into any prompt template.