Effect Harness Agent is a machine-to-machine protocol read and executed by LLM agents. A flaw in the protocol — a missed scope check, a bypassable approval gate, a leaky write-back path — can ripple across every downstream project that mounts this harness. We take reports seriously.

The harness has not yet cut a v1.0. Until it does, we provide fixes only on main. Pin a specific commit SHA in your downstream projects if you need byte-for-byte stability.

Once v1.0 ships, this section will be updated with a semver support window.

Please do not open a public GitHub issue for security reports.

Send a private report to:

william.manzoli@gmail.com

If you prefer encrypted communication, request a PGP key in your initial message and we will respond with one before you send details.

Include in your report:

• A clear description of the issue and the protocol surface it affects (router, lifecycle gate, scope guard, write-back, role matrix, skill loader, etc.)
• Steps to reproduce, ideally as a minimal launch_spec_*.md + the prompt that triggered the issue
• Affected commit SHA(s)
• Your assessment of impact (read-only confidentiality, scope escape, approval-gate bypass, retry-loop exhaustion, etc.)
• Any suggested mitigation or patch sketch

We will acknowledge receipt within 5 business days and aim to provide an initial assessment within 14 days. Coordinated disclosure timelines are negotiable based on severity and complexity.

The following are considered in scope for security reports:

• Approval-gate bypass — any path that allows MEDIUM/HIGH risk changes to reach Implement without an explicit human approval marker
• Scope-guard bypass — edits to files outside focus_card.md scope without a [Boundary Exception Request]
• Anti-loop bypass — exceeding 3 retries on scripts or 2 on compilation without escalation
• Secrets exfiltration via write-back — any flow where secrets_linter.py would have caught a leak but didn't
• Knowledge-graph poisoning — write-back that promotes attacker-controlled content into a stable index without lifecycle checks
• Skill substitution — loading a skill from outside .agents/skills/ or executing arbitrary code via skill metadata
• Gate runner injection — argument or path injection into gates/run.py, harness/engine.py, or any individual gate
• CI exposure — secrets or write-permission escalation in .github/workflows/harness-ci.yml

The following are out of scope (please don't report these unless they enable one of the above):

• Findings in downstream target projects that consume this harness — report those to the target project
• Findings in third-party tools the harness invokes (Playwright, axe, Lost-Pixel, Lighthouse, ts-morph, Effect, tsgo) — report to their upstream maintainers
• LLM model behavior unrelated to the protocol (hallucinations, refusal patterns, etc.)
• Theoretical attacks requiring an already-compromised maintainer account

We follow coordinated disclosure. After a fix lands on main, we will:

1. Publish a CHANGELOG entry describing the fix and the affected versions
2. Credit the reporter in the release notes (unless anonymity is requested)
3. Open a public advisory on the GitHub Security Advisories tab if the issue warrants one

Thank you for helping keep the harness — and the projects that depend on it — safe.