prismtty 1.1.0

Fast terminal output highlighter focused on network devices and Unix systems
Documentation
# Security Policy

## Supported Versions

Security fixes are handled on the latest release and the current `main` branch.
Older releases may receive fixes when the affected code is still relevant and a
safe backport is practical.

## Reporting a Vulnerability

Please do not open a public issue with exploit details, private terminal
captures, credentials, or sensitive environment information.

Use GitHub private vulnerability reporting for this repository when available.
If private reporting is not available, open a minimal public issue asking for a
security contact and omit technical details until a private channel is arranged.

Useful reports include:

- Affected PrismTTY version or commit.
- Operating system and terminal environment.
- The smallest synthetic input or config that reproduces the issue.
- Expected and observed behavior.
- Impact assessment, especially whether the input crosses a trust boundary such
  as remote terminal output, local config parsing, release packaging, or trace
  file creation.

## Sensitive Data

PrismTTY is often used around network devices and administrative shells. Do not
attach real device captures, private hostnames, customer names, IP inventories,
credentials, or trace files from sensitive sessions. Reduce reports to synthetic
examples that preserve only the token shape needed to reproduce the issue.

## Operational Cautions

- `--local-echo` echoes every typed printable key, including secrets typed at
  prompts that deliberately suppress echo (password prompts). Leave it off when
  entering credentials.
- `--trace-io` records all PTY input and output to the trace file, including
  typed passwords. The file is created owner-only (0600), but treat it as
  sensitive and delete it after debugging.
- User-supplied rule regexes run against every byte of terminal output.
  PrismTTY bounds each match (PCRE2 match limits, 8 KiB read chunks), so a
  pathological pattern cannot hang it, but expensive patterns (for example
  unanchored lookaheads such as `(?=.*foo)`) can slow throughput severely on
  very long lines. PrismTTY warns once per session when a rule crosses five
  seconds of cumulative matching time; use `--benchmark` to identify slow
  rules in a config.
- By default PrismTTY is a transparent wrapper: escape sequences from the
  wrapped program pass through unchanged, exactly like `ssh` or `tmux`. When
  working against untrusted remote devices, `--sanitize` strips string-type
  escapes (window title, OSC 52 clipboard, DCS/SOS/PM/APC payloads) from
  program output while leaving colors and cursor control intact.