purple-ssh 2.33.5

Open-source terminal SSH manager and SSH config editor. Search hundreds of hosts, sync from 16 clouds, transfer files, manage Docker and Podman over SSH, sign short-lived Vault SSH certs and expose an MCP server for AI agents. Rust TUI, MIT licensed.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

# Security Policy

## Supported versions

Only the latest release receives security patches.

| Version | Supported |
|---------|-----------|
| Latest  | Yes       |
| Older   | No        |

## Reporting a vulnerability

Please report vulnerabilities through
[GitHub Security Advisories](https://github.com/erickochen/purple/security/advisories/new).

Do not open a public issue for security vulnerabilities.

If GitHub is inaccessible you can email security@getpurple.sh.

### What to include

- Description of the vulnerability and its impact
- Steps to reproduce or a proof of concept
- The version of purple you tested against
- Whether the issue is already publicly known

### What to expect

- We aim to acknowledge reports within a week
- We aim to provide a fix or status update within 30 days
- Credit in the changelog and GitHub advisory (unless you prefer
  to stay anonymous)

We will not pursue legal action against anyone who reports a
vulnerability in good faith and follows this policy.

## Scope

### In scope

- Credential or token leakage (askpass, keychain, provider tokens)
- SSH config injection or path traversal
- Arbitrary code execution not initiated by the user
- File browser directory traversal beyond intended scope
- Container ID or shell command injection
- Bypass of TLS verification when not explicitly disabled
- Tampering with the self-update mechanism

### Out of scope

Purple is a terminal SSH client that executes commands by design.
The following are not considered vulnerabilities:

- Command execution via SSH connections. Purple spawns the system
  `ssh` binary as its core function
- Snippet execution on user-selected hosts
- Askpass prompting for passwords the user has configured
- Attacks that require pre-existing access to the user's machine.
  Read access to `~/.ssh/config` and `~/.purple/` is assumed.
  Bugs that cause purple to write sensitive files with wrong
  permissions are still in scope
- Denial of service against the local TUI process
- Social engineering or phishing

## Disclosure policy

We follow coordinated disclosure with a 90-day window. Please
keep your report confidential until a fix is released or 90 days
have passed since the initial report.