-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecurity.html
More file actions
124 lines (122 loc) · 5.84 KB
/
security.html
File metadata and controls
124 lines (122 loc) · 5.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="preload" href="/nipcode-logo.png" as="image" />
<link rel="stylesheet" href="/_next/static/chunks/0pwsw40vfluf4.css" />
<link rel="icon" href="/nipcode-logo.png" type="image/png" />
<title>Security · Nipcode docs</title>
<meta name="description" content="What we protect, what we don't, and how to report." />
<link rel="canonical" href="https://nipcode.xyz/security" />
<script src="/scramble.js" defer></script>
</head>
<body>
<a class="skip-link" href="#main">Skip to content</a>
<header class="topbar" aria-label="Primary">
<a class="brand" aria-label="Nipcode home" href="/">
<span class="nipcode-mark" aria-hidden="true" style="--mark-size: 54px"><img alt="" height="54" src="/nipcode-logo.png" width="54" /></span>
<span class="brand-word" aria-hidden="true">Nipcode</span>
</a>
<div class="brand-socials" aria-label="Nipcode links">
<a class="brand-docs-link" href="/docs">Docs</a>
<a class="brand-login-link" href="/account">Login</a>
<a class="brand-icon-button" href="https://github.com/trynipcode/nipcode" target="_blank" rel="noreferrer" title="GitHub" aria-label="GitHub"><img alt="" height="18" src="/github-logo.svg" width="18"/></a>
<a class="brand-icon-button" href="https://x.com/trynipcode" target="_blank" rel="noreferrer" title="X" aria-label="X"><svg aria-hidden="true" viewBox="0 0 24 24" width="18" height="18"><path d="M18.24 2.25h3.31l-7.23 8.26 8.5 11.24h-6.66l-5.21-6.82-5.97 6.82H1.67l7.73-8.84L1.25 2.25h6.83l4.71 6.23 5.45-6.23Zm-1.16 17.52h1.83L7.08 4.13H5.11l11.97 15.64Z" fill="currentColor"/></svg></a>
</div>
</header>
<main class="docs-shell" id="main">
<aside class="docs-sidebar" aria-label="Documentation">
<a class="docs-sidebar-title" href="/docs">Nipcode docs</a>
<nav class="docs-sidebar-nav">
<div class="docs-sidebar-group">
<p>Get started</p>
<div>
<a href="/docs">Overview</a>
<a href="/quickstart">Quickstart</a>
</div>
</div>
<div class="docs-sidebar-group">
<p>API</p>
<div>
<a href="/api-access">API reference</a>
<a href="/agents">Agents</a>
<a href="/examples">Examples</a>
</div>
</div>
<div class="docs-sidebar-group">
<p>How it works</p>
<div>
<a href="/sources">Sources</a>
<a href="/trust">Trust model</a>
<a href="/architecture">Architecture</a>
<a class="docs-sidebar-active" aria-current="page" href="/security">Security</a>
</div>
</div>
</nav>
</aside>
<article class="docs-main">
<header class="docs-hero">
<p class="docs-eyebrow" data-scramble-text data-scramble-duration="600">Security</p>
<h1>What we protect, what we don't, and how to report.</h1>
<p>Nipcode is a trust layer; we hold ourselves to the standard we ask of the packages we evaluate.</p>
</header>
<section class="docs-section">
<div class="docs-section-head"><h2>Report a vulnerability</h2></div>
<div class="docs-prose">
<p>Email <code>info@nipcode.xyz</code> with subject <code>SECURITY</code>. Please do not open public issues for security reports. We acknowledge within 72 hours.</p>
<p>Include affected surface, reproduction steps, impact assessment, and optionally a proposed fix.</p>
</div>
</section>
<section class="docs-section">
<div class="docs-section-head"><h2>In scope</h2></div>
<div class="docs-prose">
<ul>
<li>Authentication and session management (<code>/api/auth*</code>)</li>
<li>API key generation, scoping, and revocation</li>
<li>Trust scoring and install-plan boundaries</li>
<li>Supabase RLS and schema</li>
<li>DNS, TLS, deployment surface</li>
</ul>
</div>
</section>
<section class="docs-section">
<div class="docs-section-head"><h2>Out of scope</h2></div>
<div class="docs-prose">
<ul>
<li>Third-party source registries (npm, PyPI, etc.). Report to them directly</li>
<li>Social engineering and physical security</li>
<li>Denial of service that does not bypass existing rate limits</li>
</ul>
</div>
</section>
<section class="docs-section">
<div class="docs-section-head"><h2>Hard rules in the codebase</h2></div>
<div class="docs-prose">
<ul>
<li>Hosted API is read-only. Any change that would let it install, clone, extract, or write to a caller workspace is rejected on review.</li>
<li>Package metadata is treated as untrusted data. It is never passed as instructions to a language model without quoting/escaping context.</li>
<li>Trust scores must trace back to source-owned evidence. No fabricated numbers.</li>
<li>API keys are scoped per-account, RLS-protected. The server-side service-role path is the only writer.</li>
</ul>
</div>
</section>
<section class="docs-section">
<div class="docs-section-head"><h2>What we store</h2></div>
<div class="docs-prose">
<p>See <a href="https://github.com/trynipcode/nipcode/blob/main/docs/security/data-retention.md">data retention</a> in the repo. Short version: account emails, API keys, waitlist emails, usage counters. No raw queries, no raw IPs, no User-Agents.</p>
</div>
</section>
</article>
</main>
<footer class="site-footer" aria-label="Site footer">
<p class="site-footer-copy">Nipcode © 2026</p>
<nav class="site-footer-links" aria-label="Legal">
<a href="/changelog">Changelog</a>
<a href="/privacy">Privacy</a>
<a href="/terms">Terms</a>
<a href="/faq">FAQ</a>
</nav>
</footer>
</body>
</html>