docs: document security notes in SECURITY.md (v0.7.39)

boxlinknet · boxlinknet · commit f62360b710d3 · 2026-03-14T02:20:41.000+03:00
Added notes on trusted config params (log_file, env_file), thread
safety limitations, and user input in error messages.
diff --git a/SECURITY.md b/SECURITY.md
@@ -21,3 +21,17 @@ Include:
 - Potential impact
 
 You will receive a response within 48 hours.
+
+## Security Notes
+
+### Trusted configuration parameters
+
+`log_file` and `env_file` are passed directly to `open()`. These are trusted configuration values set by the developer, not user input. Do not expose them to end users or accept them from untrusted sources.
+
+### Thread safety
+
+`KwtSMS` and `AsyncKwtSMS` instances are not thread-safe. Cached values (`_cached_balance`, `_cached_purchased`) are read and written without locks. In CPython, the GIL makes simple float assignment atomic in practice, but this is not guaranteed by the language spec. If sharing a client instance across threads, protect calls with your own lock.
+
+### Error messages may contain user input
+
+Validation error messages (e.g., `"'user@gmail.com' is an email address, not a phone number"`) include the raw input. This is safe in JSONL logs (JSON-encoded). If you display these messages in HTML, escape them first to prevent XSS.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "kwtsms"
-version = "0.7.38"
+version = "0.7.39"
 description = "Python client for kwtSMS, the Kuwait SMS gateway trusted by top businesses to deliver messages worldwide, with private Sender ID, free API testing, and non-expiring credits."
 readme = "README.md"
 requires-python = ">=3.8"
diff --git a/src/kwtsms/__init__.py b/src/kwtsms/__init__.py
@@ -26,4 +26,4 @@
 __all__ = ["KwtSMS", "AsyncKwtSMS", "normalize_phone", "clean_message",
            "validate_phone_input", "parse_webhook",
            "find_country_code", "validate_phone_format"]
-__version__ = "0.7.38"
+__version__ = "0.7.39"
