linear-cli is a local-first CLI for Linear.app. Its primary security concerns are credential handling, safe interaction with untrusted Linear and GitHub responses, safe subprocess execution, and cautious handling of local listeners, exported data, and downloaded uploads.

Security fixes and documentation updates are only guaranteed on the latest release line.

Please avoid posting sensitive exploit details in a public GitHub issue.

Preferred reporting path:

1. Use GitHub's private vulnerability reporting for this repository if it is available.
2. If private reporting is unavailable, contact the maintainer through GitHub first and share only the minimum details needed to reproduce the issue privately.

Include:

• the linear-cli version
• your OS and installation path
• whether you used API-key auth or OAuth
• whether the issue requires local access, a malicious Linear workspace member, or network access
• a minimal reproduction, logs, or screenshots with secrets redacted

• API keys and OAuth tokens may come from LINEAR_API_KEY, OS keyring storage, or the config file under the user's config directory.
• The OAuth callback listener binds to 127.0.0.1 and validates both state and PKCE before exchanging the authorization code.
• The optional webhook listener defaults to 127.0.0.1, verifies linear-signature with HMAC-SHA256, and enforces request size and timeout limits.
• Upload downloads are restricted to https://uploads.linear.app and only follow redirects that stay on that host.
• The update flow checks GitHub Releases and shells out to local Cargo tooling rather than executing shell text. Update installation can also be triggered from the startup prompt path, including auto-confirmed runs with the global --yes flag.

• Detailed threat model: docs/security-threat-model.md
• Installation and usage: README.md