Status: draft.
Owns: Security reporting and the boundary for security-sensitive claims.
Does not own: The threat model, proof contracts, operational assurance, or release status.
Kapsel is pre-release and has no supported production version. Do not use the current repository for consequential production actions.
Do not open a public issue for a suspected vulnerability involving package parsing, signature or receipt verification, trust evaluation, key handling, storage recovery, profile linkage, or disclosure of sensitive material. Report it privately through GitHub Security Advisories. Include the affected revision, reproduction steps, impact, and whether disclosure is time-sensitive.
No response-time or remediation SLA is promised before production assurance work in KAP-0022.
The current security model is defined by:
A valid signature authenticates bytes under a key. External policy decides whether that key has authority. Reports must preserve that distinction.
The active implementation is still the pre-pivot webhook alpha while KAP-0018 proceeds. It does not implement the current Kapsel V1 security contract. Historical behavior is not a supported security guarantee.