| Version | Supported |
|---|---|
| 0.x | Yes |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue.
- Email: nate@lorecraft.io
- Include: description of the vulnerability, steps to reproduce, and potential impact.
- You will receive acknowledgment within 48 hours.
task-maxxing stitches together four services. Each has its own credential, each stored in a local .env file (gitignored, chmod 600 recommended):
| Credential | Grants | Rotation |
|---|---|---|
GITHUB_TOKEN |
Read/write to the private task-mirror repo | GitHub → Settings → Developer settings → Fine-grained PATs |
MORGEN_API_KEY |
Full access to your Morgen calendar + tasks | https://platform.morgen.so/developers-api |
N8N_API_KEY |
Full access to your n8n instance (create / edit / activate workflows) | n8n UI → Settings → API → rotate |
.mcp.json / claude_desktop_config.json are NOT used by this project — the workflows run in n8n and read credentials from n8n's credential store after the initial install-workflows.sh substitution.
If you suspect any credential has been compromised:
- Rotate the credential at its source (links above).
- Update the value in your local
.envfile. - Re-run
./scripts/install-workflows.shto push the new credential into n8n. - In the n8n UI, deactivate and reactivate W1 / W2 so their credential references refresh.
- Source code in this repository
- n8n workflow JSON exports under
workflows/ - The local daemon (
src/auto-commit.js+daemon/install-daemon.sh) - GitHub Actions workflows under
.github/workflows/
Out of scope: your personal fork of this repo (YOUR-VAULT-tasks), your n8n instance, and any third-party services (Notion, Morgen, GitHub) that this project integrates with — please report issues in those systems to the upstream vendor. (As of 2026-05-04 the kit no longer integrates with Notion — Notion was dropped from the sync stack; the W3 worker is a no-op stub.)
- No secrets at rest in the repo. Workflow JSONs use
{{PLACEHOLDER}}tokens substituted at install time byscripts/install-workflows.sh. The rendered files go to/tmp/, are POSTed to n8n, then deleted. - CI grep guards.
.github/workflows/validate.ymlscans workflow JSONs on every push for hardcoded token shapes (ghp_,ntn_,sk-,ApiKey ...). A PR that accidentally bakes a secret into a committed JSON will fail CI. - Bot-prefix echo guard. Every automated commit carries a
[bot:daemon]/[bot:W1]/[bot:W2]/[bot:backfill]prefix so W1's webhook handler can skip them and avoid an infinite ping-pong. - Flip-ratio guard. W1 refuses to proceed if a single run would flip >25% of your task state. This catches "I accidentally deleted TASKS-URGENT.md" before it replicates to Morgen.
- The daemon shells out to
gitviaexecFileSync. A hostile$PATHcould swap outgitfor a malicious binary — the installer hardensPATHto well-known system locations (/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin), but if you install the daemon in an environment with a compromised$PATHat that moment, that hardening won't help. - Morgen's API does not expose webhook notifications — W2 runs every 20 min via the W0 orchestrator. An attacker who compromises your Morgen account has a ≤20 min window before W2 propagates the change to Obsidian.