GovEngine is a governance and contract-helper package. It is not a scanner, exploit framework, sandbox, or authorization authority.
GovEngine is currently a 1.0 release candidate. Security fixes should target
main until the stable release line exists; publication remains blocked by
the independent contract-review gate.
Please report security-sensitive issues privately to the project owner when possible. Do not publish credentials, private targets, raw runtime logs, or exploit details in public issues.
GovEngine must not:
- treat LLM prose as executable authority;
- construct live shell commands from untrusted text;
- widen Ravenclaw/GovEngine/SCLite dependency direction;
- publish raw stdout/stderr, command logs, credentials, cookies, private paths, or private target identifiers;
- claim authorization to test a target;
- claim live vulnerability evidence from dry-run artifacts.
The detailed trusted computing base, attacker model and residual risks are in
docs/THREAT_MODEL.md. Tested guarantees, digest
bindings and explicit non-claims are in
docs/SECURITY_GUARANTEES.md.
GovEngine runs in the host process. It does not claim resistance to a malicious or fully compromised in-process host that skips the library or ignores its decision.
New safety-sensitive code should be deterministic by default, testable without live targets, and explicit about:
- scope and policy decisions;
- approved vs prepared execution shape;
- dry-run/local/mock/live truth;
- receipt/evidence non-claims;
- owner-review boundaries.