This is a hobby project maintained by a single person. If you discover a security vulnerability in quadletman, you may report it, but there is no guarantee of it being fixed.

Do not open a public GitHub issue for security vulnerabilities.

Please use GitHub's private vulnerability reporting.

Include:

• A description of the vulnerability
• Steps to reproduce
• The potential impact
• Any suggested fix (optional)

This is a side project maintained by a single developer. There are no official supported versions. See also LICENSE.

quadletman runs as a dedicated quadletman system user (or root for legacy installations) and manages Podman containers via per-compartment Linux users. Admin operations escalate via the authenticated user's sudo credentials.

Key security controls:

• PAM-based authentication restricted to sudo/wheel group members
• Branded-type input validation at every layer boundary
• Session credentials stored in the Linux kernel keyring (when available)
• CSRF protection via double-submit cookie
• CSP headers blocking all external resource loading
• All host mutations routed through audited wrappers