fix(release): enforce version metadata sync

Author: SysAdminDoc

.gitignore

@@ -49,4 +49,5 @@ content_calendar.ics
 !CHANGELOG.md
 !ROADMAP.md
 !RESEARCH*.md
+!SECURITY.md
 !docs/PYTHON_ADVISORIES.md

CHANGELOG.md

@@ -3,6 +3,14 @@
 Notable changes from the June 2026 hardening/audit pass. The authoritative
 record also lives in the git commit messages.
 
+## [Unreleased]
+
+### Fixed — release process
+
+- Version sync now covers the security support table, CEP package-lock root
+  metadata, and the C2PA claim-generator string so release smoke fails when
+  those public version surfaces drift.
+
 ## [1.33.0] — 2026-06-11 — June hardening & quality pass
 
 ### Fixed — Docker/runtime

SECURITY.md

@@ -0,0 +1,124 @@
+# Security Policy
+
+## Supported Versions
+
+OpenCut ships rapidly. We actively support the **latest minor** (`1.33.x`) and the one immediately preceding it (`1.32.x`). Older minors receive security-only backports for 90 days after they're superseded.
+
+| Version | Supported         | Security fixes until |
+|---------|-------------------|----------------------|
+| 1.33.x  | ✅ Active         | —                    |
+| 1.32.x  | ✅ Previous       | +90 days after 1.33  |
+| 1.31.x  | ⚠️ Critical only  | +30 days after 1.33  |
+| ≤ 1.30  | ❌ End of life    | n/a                  |
+
+Version numbers ship in [`opencut/__init__.py`](opencut/__init__.py) and are kept in sync by [`scripts/sync_version.py`](scripts/sync_version.py).
+
+## Reporting a Vulnerability
+
+**Please do not open public GitHub issues for security problems.**
+
+Email [matt@mavenimaging.com](mailto:matt@mavenimaging.com) with:
+
+1. A description of the issue — what you see, what you expected.
+2. Reproducer steps, ideally as a minimal request / script / config.
+3. The commit SHA + `__version__` you tested against.
+4. Your assessment of severity (low / medium / high / critical) and why.
+
+We acknowledge reports within **72 hours** and aim to land a fix or mitigation within:
+
+- **Critical** — 72 hours (RCE, auth bypass, data exfiltration, sandbox escape)
+- **High** — 7 days (privilege escalation, unauthenticated DoS on a production endpoint)
+- **Medium** — 30 days (authenticated DoS, information disclosure, supply-chain risk)
+- **Low** — 90 days (hardening suggestions, theoretical concerns)
+
+We don't run a paid bounty programme, but we credit reporters in `CHANGELOG.md` and the release notes unless you prefer to remain anonymous.
+
+## In Scope
+
+- `opencut/` backend (Flask API, job system, CLI, MCP server)
+- `extension/com.opencut.panel/` CEP panel (HTML/JS/ExtendScript)
+- `extension/com.opencut.uxp/` UXP panel (HTML/JS)
+- `installer/` (C# WPF Windows installer)
+- `scripts/` build + utility scripts
+- `tests/fuzz/` harness targets
+
+## Out of Scope
+
+- Third-party dependencies (report upstream). We monitor `pyproject.toml` / `requirements.txt` via Dependabot.
+- User-supplied plugins loaded via `~/.opencut/plugins/` — plugins run with the host's trust, so audit before installing.
+- Social-engineering / phishing attacks against maintainers.
+- Reports that require pre-existing local code execution (e.g. "an attacker with shell access can edit `~/.opencut/settings.json`").
+
+## Known-Safe-By-Design Surface
+
+OpenCut's security model leans on a handful of intentional choices:
+
+- **CSRF on every mutation.** `@require_csrf` decorator on all `POST`/`PUT`/`PATCH`/`DELETE` routes. Token rotates per server start, delivered via `GET /health`, sent as `X-OpenCut-Token` header.
+- **Path validation.** All file-accepting routes pass user-supplied paths through `security.validate_path()` / `validate_filepath()` / `validate_output_path()`. Realpath resolution, null-byte rejection, symlink-out-of-allowlist defence.
+- **SSRF defence.** Outbound URL validators (`_validate_webhook_url`, `_validate_download_url`) reject localhost, loopback, private IPs, link-local, reserved ranges.
+- **Rate-limit categories.** Four-way classification (`gpu_heavy` / `cpu_heavy` / `io_bound` / `light`) bounds concurrent work per category — see `core/rate_limit_categories.py`.
+- **Scripting console sandbox.** Dunder builtins stripped, `__import__` / `exec` / `eval` / `compile` / `open` / `os` / `sys` / `subprocess` blocked in AST. Context keys containing `__` rejected.
+- **Fuzz harness** for parsers (`tests/fuzz/`) — SRT / VTT / `.cube` / voice-grammar parsers are expected to be total.
+- **Atomic writes** for user-data files via `tempfile + os.replace`.
+
+## Hardening Recommendations
+
+Operators running OpenCut in a shared-network environment should:
+
+1. Bind to `127.0.0.1` only (default) — the service is single-user. Non-loopback binds require `OPENCUT_ALLOW_REMOTE=1`.
+2. **Use the persistent local auth token when binding non-loopback.**
+   Setting `OPENCUT_ALLOW_REMOTE=1` automatically issues a token under
+   `~/.opencut/auth.json` (POSIX: mode `0600`). Every non-loopback
+   request must include `X-OpenCut-Auth: <token>`. Loopback peers
+   (`127.0.0.1`, `::1`) still bypass the token to keep the single-user
+   workflow snappy.
+3. Read or rotate the token explicitly:
+   ```bash
+   opencut-server --print-auth     # print the persisted token
+   opencut-server --rotate-auth    # generate a fresh token, then exit
+   ```
+   The `GET /auth/info` endpoint returns *metadata only* — it never
+   includes the token value. Treat `~/.opencut/auth.json` like an SSH
+   private key; never check it into source control.
+4. Set `SENTRY_DSN` so crashes route to a tracker you control.
+5. Set `PLAUSIBLE_HOST` + `PLAUSIBLE_DOMAIN` (optional) for usage telemetry.
+6. Configure `OPENCUT_TEMP_CLEANUP_*` to fit the expected workload.
+7. Use the bundled FFmpeg or build FFmpeg explicitly — distro builds can lag on CVE fixes.
+8. Keep `~/.opencut/plugins/` empty until you've audited each plugin manifest.
+
+### Threat model for non-loopback binds
+
+Default deployment: a single user, on their workstation, talking to
+`127.0.0.1:5679`. The Adobe Premiere CEP/UXP panel sits on the same
+machine. We deliberately do **not** require an API key in that path
+because the token would be visible to anything that can read the panel
+preferences anyway.
+
+When the operator opts into `OPENCUT_ALLOW_REMOTE=1` (e.g. remote
+render host on a private VLAN), the threat surface changes:
+
+- Anyone who can hit the bind address can issue render jobs, read media
+  paths, or call shell-adjacent endpoints (FFmpeg invocations, OS
+  shell-out for ``open``/Finder integration).
+- CSRF alone is not enough — CSRF protects browser sessions, not API
+  clients on the same network.
+
+The local auth token closes that gap: non-loopback callers must include
+the token in the `X-OpenCut-Auth` header (a `?auth=` query string is
+also accepted for tools that can't set headers). `/health` and
+`/auth/info` remain exempt so panels can bootstrap connectivity and
+render a "Authentication required" hint.
+
+## Software Bill of Materials (SBOM)
+
+Generate a declared-dependency CycloneDX SBOM from `pyproject.toml`,
+`requirements.txt`, and OpenCut model-card metadata:
+
+```bash
+python scripts/sbom.py
+```
+
+The script writes `dist/opencut-declared-sbom.cyclonedx.json` (or `.xml` with
+`--format xml`) and marks the CycloneDX metadata as `declared-only`. The
+committed `requirements-lock.txt` is audited separately by the pip-audit release
+gate; it is not presented as a resolved installed-package SBOM inventory.

extension/com.opencut.panel/package-lock.json

@@ -71,7 +71,7 @@
 SPEC_VERSION = "0.2-sidecar"  # OpenCut sidecar wire-format; bumped for the F140 C2PA 2.3 alignment
 MANIFEST_SPEC_VERSION = SPEC_VERSION  # public alias
 C2PA_SPEC_VERSION = "2.3"  # the C2PA specification version our action vocabulary follows
-CLAIM_GENERATOR_DEFAULT = "OpenCut/1.32.0 (sidecar; c2pa-spec 2.3)"
+CLAIM_GENERATOR_DEFAULT = "OpenCut/1.33.0 (sidecar; c2pa-spec 2.3)"
 
 
 # F140 — C2PA 2.3 action vocabulary. This is the documented set of

opencut/core/c2pa_sidecar.py

@@ -19,7 +19,8 @@
 INIT_PY = ROOT / "opencut" / "__init__.py"
 
 # Each entry: (relative path, regex pattern, replacement template)
-# The replacement template uses {v} for the version string.
+# The replacement template uses {v} for the version string and may also use
+# computed release-series placeholders from version_tokens().
 TARGETS = [
     (
         "pyproject.toml",
@@ -110,6 +111,19 @@
         r'("version":\s*")[0-9]+\.[0-9]+\.[0-9]+(")',
         r'\g<1>{v}\g<2>',
     ),
+    # CEP package-lock.json root package metadata. Keep these patterns scoped
+    # to the package root so dependency versions such as lightningcss 1.32.0
+    # are not rewritten as OpenCut releases.
+    (
+        "extension/com.opencut.panel/package-lock.json",
+        r'(^\s*"version":\s*")[0-9]+\.[0-9]+\.[0-9]+(",\s*$)',
+        r'\g<1>{v}\g<2>',
+    ),
+    (
+        "extension/com.opencut.panel/package-lock.json",
+        r'("":\s*\{\s*"name":\s*"opencut-panel",\s*"version":\s*")[0-9]+\.[0-9]+\.[0-9]+(")',
+        r'\g<1>{v}\g<2>',
+    ),
     # UXP manifest.json
     (
         "extension/com.opencut.uxp/manifest.json",
@@ -133,9 +147,72 @@
         r'(<span id="uxpVersionDisplay">)[0-9]+\.[0-9]+\.[0-9]+( \(UXP\)</span>)',
         r'\g<1>{v}\g<2>',
     ),
+    # Security support policy tracks minor series, not full patch releases.
+    (
+        "SECURITY.md",
+        r'(latest minor\*\* \(`)[0-9]+\.[0-9]+\.x(`\) and the one immediately preceding it \(`)[0-9]+\.[0-9]+\.x(`\))',
+        r'\g<1>{series}\g<2>{previous_series}\g<3>',
+    ),
+    (
+        "SECURITY.md",
+        r'(\| )[0-9]+\.[0-9]+\.x(\s+\|[^\n]*Active[^\n]*\|\s*)[^\n|]+(\s*\|)',
+        r'\g<1>{series}\g<2>—                    \g<3>',
+    ),
+    (
+        "SECURITY.md",
+        r'(\| )[0-9]+\.[0-9]+\.x(\s+\|[^\n]*Previous[^\n]*\|\s*)\+90 days after [0-9]+\.[0-9]+(\s*\|)',
+        r'\g<1>{previous_series}\g<2>+90 days after {latest_minor}\g<3>',
+    ),
+    (
+        "SECURITY.md",
+        r'(\| )[0-9]+\.[0-9]+\.x(\s+\|[^\n]*Critical only[^\n]*\|\s*)\+30 days after [0-9]+\.[0-9]+(\s*\|)',
+        r'\g<1>{critical_series}\g<2>+30 days after {latest_minor}\g<3>',
+    ),
+    (
+        "SECURITY.md",
+        r'(\| )[≤<=>\s]*[0-9]+\.[0-9]+(\s+\|[^\n]*End of life[^\n]*\|\s*)n/a(\s*\|)',
+        r'\g<1>≤ {eol_minor}\g<2>n/a\g<3>',
+    ),
+    (
+        "opencut/core/c2pa_sidecar.py",
+        r'(CLAIM_GENERATOR_DEFAULT\s*=\s*"OpenCut/)[0-9]+\.[0-9]+\.[0-9]+( \(sidecar; c2pa-spec 2\.3\)")',
+        r'\g<1>{v}\g<2>',
+    ),
 ]
 
 
+def version_tokens(version: str) -> dict[str, str]:
+    """Return replacement tokens derived from an X.Y.Z version string."""
+    major_s, minor_s, patch_s = version.split(".")
+    major = int(major_s)
+    minor = int(minor_s)
+
+    def minor_at(offset: int) -> int:
+        return max(minor + offset, 0)
+
+    return {
+        "v": version,
+        "major": str(major),
+        "minor": str(minor),
+        "patch": patch_s,
+        "series": f"{major}.{minor}.x",
+        "previous_series": f"{major}.{minor_at(-1)}.x",
+        "critical_series": f"{major}.{minor_at(-2)}.x",
+        "latest_minor": f"{major}.{minor}",
+        "previous_minor": f"{major}.{minor_at(-1)}",
+        "critical_minor": f"{major}.{minor_at(-2)}",
+        "eol_minor": f"{major}.{minor_at(-3)}",
+    }
+
+
+def render_replacement(replacement: str, version: str) -> str:
+    """Expand sync_version replacement placeholders for a target."""
+    rendered = replacement
+    for key, value in version_tokens(version).items():
+        rendered = rendered.replace(f"{{{key}}}", value)
+    return rendered
+
+
 def read_version() -> str:
     """Read __version__ from opencut/__init__.py."""
     text = INIT_PY.read_text(encoding="utf-8")
@@ -158,7 +235,7 @@ def set_version(new_ver: str) -> None:
     print(f"  SET  {INIT_PY.relative_to(ROOT)}  ->  {new_ver}")
 
 
-def check_file(rel_path: str, pattern: str, version: str) -> bool:
+def check_file(rel_path: str, pattern: str, replacement: str, version: str) -> bool:
     """Check if a file's version matches. Returns True if in sync."""
     fpath = ROOT / rel_path
     if not fpath.exists():
@@ -169,9 +246,10 @@ def check_file(rel_path: str, pattern: str, version: str) -> bool:
     if not m:
         return True  # Pattern not found — nothing to check
 
-    # Extract current version from the matched text
     matched = m.group(0)
-    if version in matched:
+    repl = render_replacement(replacement, version)
+    expected = re.sub(pattern, repl, matched, count=1, flags=re.MULTILINE)
+    if expected == matched:
         return True
 
     print(f"  MISMATCH {rel_path}  (expected {version})")
@@ -186,7 +264,7 @@ def sync_file(rel_path: str, pattern: str, replacement: str, version: str) -> bo
         return False
 
     text = fpath.read_text(encoding="utf-8")
-    repl = replacement.replace("{v}", version)
+    repl = render_replacement(replacement, version)
     updated, count = re.subn(pattern, repl, text, count=1, flags=re.MULTILINE)
 
     if count == 0:
@@ -217,8 +295,8 @@ def main() -> None:
     if args.check:
         print(f"\nChecking version {version} across project files:\n")
         all_ok = True
-        for rel_path, pattern, _replacement in TARGETS:
-            if not check_file(rel_path, pattern, version):
+        for rel_path, pattern, replacement in TARGETS:
+            if not check_file(rel_path, pattern, replacement, version):
                 all_ok = False
         if all_ok:
             print(f"\nAll files in sync at v{version}.")

scripts/sync_version.py

@@ -225,6 +225,9 @@ def test_cloud_trust_list_omitted_when_blank(asset):
 def test_claim_generator_documents_c2pa_2_3():
     """The default claim_generator string must surface the spec version
     we target so verifiers see it without parsing the manifest."""
+    from opencut import __version__
+
+    assert f"OpenCut/{__version__}" in c2pa.CLAIM_GENERATOR_DEFAULT
     assert "2.3" in c2pa.CLAIM_GENERATOR_DEFAULT