Security - Friday

Friday Studio runs locally on your machine. Your data — spaces, session history, artifacts, and credentials — stays on your machine and is never sent to Friday’s servers.

Data stays local

Everything Friday stores lives in the Friday home directory (default ~/.friday/local/) on your machine — spaces, sessions, artifacts, and credentials. Friday does not have access to any of it.

Credential isolation

API keys and OAuth tokens are stored locally by the Link service and injected into agent processes at runtime. They are never written into workspace.yml or logged.

Localhost only

All Friday services bind to 127.0.0.1 and are not accessible from other machines on your network.

Webhook tunnel

Inbound webhook payloads are forwarded from Cloudflare’s edge to your local daemon. Disable entirely with NO_TUNNEL=true.

Supply chain security

Friday’s open-code codebase is scanned continuously for dependency vulnerabilities, with automated checks on every code change.

Reporting a vulnerability

Do not open a public GitHub issue for security problems. Use one of these private channels:

GitHub private advisory — open a confidential report, visible only to maintainers
Email — security@hellofriday.ai

Include a description of the issue, affected component, steps to reproduce, and any relevant logs or proof-of-concept. We’ll acknowledge within 3 business days and provide an initial assessment within 7. Coordinated disclosure defaults to 90 days from the initial report.

Supported versions

Security fixes are applied to the main branch and shipped in the next release. We do not backport to older releases — run a recent build.

Contact

For security questions: security@hellofriday.ai

CLIThe friday command-line tool for managing spaces, agents, signals, and the Friday daemon.

⌘I