busbar-sf-agentscript 0.0.2

AgentScript parser, graph analysis, and LSP for Salesforce Agentforce
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

# Security Policy

## Supported Versions

We provide security updates for the following versions:

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

### Private Disclosure

**DO NOT** create a public GitHub issue for security vulnerabilities.

Instead, please report security issues by:

1. **Email**: Contact the maintainers directly (check repository settings for contact info)
2. **GitHub Security Advisory**: Use GitHub's private vulnerability reporting feature
   - Go to the Security tab in the repository
   - Click "Report a vulnerability"
   - Fill out the form with details

### What to Include

When reporting a vulnerability, please include:

- **Description**: Clear description of the vulnerability
- **Impact**: What could an attacker do with this vulnerability?
- **Reproduction**: Step-by-step instructions to reproduce the issue
- **Environment**: Rust version, OS, and any relevant configuration
- **Suggested Fix**: If you have ideas on how to fix it (optional)

### Response Timeline

- **Acknowledgment**: Within 48 hours
- **Initial Assessment**: Within 1 week
- **Status Updates**: Every week until resolved
- **Fix Release**: Depends on severity
  - Critical: Within days
  - High: Within 1-2 weeks
  - Medium: Within 1 month
  - Low: Next regular release

## Security Measures

### Automated Security

This project uses multiple layers of automated security:

1. **Daily Security Audits**
   - Automated scanning via GitHub Actions
   - Checks against RustSec Advisory Database
   - Runs every day at 00:00 UTC

2. **Dependency Vulnerability Scanning**
   - `cargo-audit`: Scans for known vulnerabilities
   - `cargo-deny`: Enforces dependency policies
   - Runs on every PR and push

3. **License Compliance**
   - Only approved open-source licenses
   - Automatic detection of license violations

4. **Continuous Integration**
   - All tests must pass before merge
   - Clippy lints catch potential bugs
   - Code coverage tracking

### Manual Security Practices

1. **Code Review**: All changes reviewed by maintainers
2. **Minimal Dependencies**: We keep dependencies minimal
3. **Dependency Updates**: Regular updates for security patches
4. **Safe Rust**: Minimize use of `unsafe` code
5. **Input Validation**: Strict validation of all inputs

### Running Security Checks Locally

Before submitting code, run:

```bash
# Install security tools
cargo install cargo-audit cargo-deny

# Run comprehensive security checks
cargo audit
cargo deny check advisories
cargo deny check licenses
cargo deny check bans
cargo deny check sources
```

## Known Security Considerations

### Parser Security

- **Input Validation**: All Agentscript input is validated
- **Resource Limits**: Parser has limits to prevent DoS
- **Error Handling**: Errors don't leak sensitive information

### Runtime Security

- **Sandboxing**: Runtime execution is isolated (future)
- **Resource Limits**: Memory and execution time limits (future)
- **Permission System**: Controlled access to system resources (future)

## Security Best Practices for Contributors

1. **Never commit secrets**: No API keys, passwords, tokens, etc.
2. **Validate all inputs**: Especially in parser and runtime
3. **Handle errors safely**: Don't expose internal details
4. **Use safe Rust**: Avoid `unsafe` unless absolutely necessary
5. **Document unsafe code**: If you must use `unsafe`, document why
6. **Check dependencies**: Review new dependencies for security
7. **Update dependencies**: Keep dependencies current

## Security-Related Configuration

### deny.toml

Our `cargo-deny` configuration:
- Denies known vulnerabilities
- Warns about unmaintained crates
- Denies yanked crates
- Enforces approved licenses only

### Cargo.toml

Security-related settings:
- Locked dependency versions
- Minimal dependencies
- Well-maintained dependencies only

## Public Disclosure

Once a vulnerability is fixed:

1. We will release a patched version
2. Credit will be given to the reporter (unless they prefer anonymity)
3. A security advisory will be published
4. Details will be added to CHANGELOG.md

## Questions?

If you have questions about security but don't have a vulnerability to report:
- Open a discussion on GitHub
- Check existing security documentation
- Review our CI/CD workflows for security practices