If you believe you have found a security vulnerability, please open a private advisory on GitHub for this repository or contact the maintainers with details and reproduction steps. Do not file public issues for undisclosed vulnerabilities.
This project is experimental research code. It is not hardened for hostile networks; treat deployments accordingly.
StreamHive can wrap peer connections in TLS:
-tls-certand-tls-keyenable TLS on the listener.-tls-caand-tls-server-nameenable outbound certificate verification.-tls-insecure-skip-verifyis for local development only.
Library users can configure p2p.TCPTransport.TLSServerConfig and
p2p.TCPTransport.TLSClientConfig directly. Use tls.Config.ClientAuth,
ClientCAs, and client certificates when you need mTLS.
TLS protects the TCP channel and, when configured with CA verification, authenticates the certificate presented by the peer. StreamHive does not yet have application-level peer identity, authorization, ACLs, or signed replication messages. Do not expose the P2P port to untrusted networks without a deployment-level trust boundary.
CI runs govulncheck ./... on each push and pull request to main.
The sbom CI job emits a CycloneDX JSON bill of materials (sbom.cdx.json) as a workflow artifact for supply-chain review.