We recommend running the latest release. Security fixes are backported only to the latest minor version of the current major version.

Please do not open a public issue for security reports.

Report vulnerabilities through one of these channels:

1. GitHub Security Advisories (preferred): https://github.com/vaur94/oma/security/advisories/new

2. Email: Send details to the maintainers listed in package.json.

Include as much detail as possible to help us reproduce and verify the issue:

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Any known mitigations

OMA runs with the same permissions as the user who invokes it. Key boundaries:

• File access: Controlled by the embedded permission engine. File read/write is scoped to the workspace unless explicitly authorized.
• Shell execution: run_command tool executes on the host system. Restrict via commandSurface config.
• Network: OMA makes outbound HTTPS requests to LLM providers only. No inbound listeners are opened.
• Environment variables: API keys must be provided via environment — never hardcode credentials.
• Config loading: Config files are read locally; never load config from untrusted paths.

{
  "commandSurface": {
    "allowDangerousCommands": false,
    "restrictedCommands": ["rm -rf"],
  },
}

• Keep allowDangerousCommands disabled in production.
• Use .oma/oma.jsonc for project-local config instead of global config when working with untrusted repositories.
• Rotate API keys regularly.

Run npm audit or bun audit periodically to check for known vulnerabilities in dependencies.

We follow a coordinated disclosure process. Credit will be given to reporters unless they request anonymity.