If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Email the maintainers with details of the vulnerability
3. Include steps to reproduce if possible
4. Allow reasonable time for a fix before public disclosure

Orchestrator spawns Claude Code agents as subprocesses. Each agent has an automatic permission sandbox that prevents:

• Reading other agents' workspaces (~/.orchestrator/agents/<other-id>/)
• Accessing orchestrator config files (squads.json, variables.json, orch.db)
• Reading the IPC socket directly

Variables in ~/.orchestrator/variables.json may contain sensitive values (API keys, database URLs). These are:

• Excluded from git via .gitignore
• Only interpolated at runtime into workflow prompts
• Accessible via the REST API on localhost only (port 47821)

The REST API binds to 127.0.0.1:47821 (localhost only). It does not support authentication — it is designed for local use by the app and its agents. Do not expose this port to the network.

The WhatsApp bridge stores credentials in ~/.orchestrator/whatsapp/auth/ with restrictive file permissions. QR code pairing uses WhatsApp's Linked Devices feature. Only phone numbers explicitly listed in the config can send commands.

• Never commit variables.json with real credentials
• Keep ~/.orchestrator/ out of version control
• Review agent CLAUDE.md files for any hardcoded secrets before sharing
• Use the permission sandbox — don't disable agent deny-lists