Elgato_dark/pbi-cli
1
0
Fork 0
mirror of https://github.com/MinaSaad1/pbi-cli synced 2026-04-21 13:37:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
pbi-cli/SECURITY.md
MinaSaad1 62680dd060 feat: v3.10.3 - opt-in Claude integration, dual-license DLL attribution, new pbi-cli entry point 
## Claude Code integration now fully opt-in (Fix 3)
- `pbi connect` no longer writes to ~/.claude/ automatically
- New `pbi-cli` entry point: `pbi-cli skills install/uninstall/list`
- `pbi-cli skills install` shows exact paths before writing and requires y/N confirmation
- `pbi connect` prints a one-line tip if skills are not yet installed
- `pbi skills` subgroup removed from the `pbi` entry point

## DLL licensing compliance (Fix 1)
- pyproject.toml updated to PEP 639 SPDX dual expression:
  MIT AND LicenseRef-Microsoft-AS-Client-Libraries
- license-files declaration: LICENSE, THIRD_PARTY_LICENSES.md, NOTICE
- THIRD_PARTY_LICENSES.md: full verbatim MS Analysis Services Client Libraries EULA
- NOTICE: short-form attribution for wheel redistribution
- src/pbi_cli/dlls/README.md: in-directory sentinel for the MS DLLs
- setuptools requirement bumped to >=77.0 for PEP 639 support

## SECURITY.md rewrite (Fix 2)
- Supported versions table updated to 3.10.x
- Architecture section: no MCP server, no subprocess, direct pythonnet interop
- Global Configuration Modifications section updated to reflect opt-in model
- Bundled Binaries section references THIRD_PARTY_LICENSES.md

## Documentation
- README.md, README.pypi.md: corrected 3-step setup flow
- CHANGELOG.md: [3.10.3] entry
- CONTRIBUTING.md: pbi skills -> pbi-cli skills
- All 7 semantic model SKILL.md files: prerequisites updated to 3-step flow
- New SVG/PNG marketing and documentation assets
2026-04-05 20:37:05 +02:00

5.9 KiB
Raw Blame History

Security Policy

Supported Versions

Only the latest 3.x release line receives security fixes. Users on older major versions should upgrade.

Version Supported
3.10.x Yes
3.9.x Critical fixes
< 3.9 No
2.x No
1.x No

Reporting a Vulnerability

If you discover a security vulnerability in pbi-cli, please report it responsibly. Do not open a public issue.

Use GitHub private vulnerability reporting to submit the report.

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Response Timeline

  • Acknowledgment: within 48 hours
  • Initial assessment: within 1 week
  • Fix release: as soon as possible, severity-dependent

Architecture and Trust Boundaries

pbi-cli connects to a locally running Power BI Desktop instance via direct in-process .NET interop. There is no MCP server, no subprocess, and no network listener. Earlier 1.x releases used a separate PBIDesktopMCPServer.exe subprocess; that architecture was removed in 2.x and this document reflects the current 3.x behavior.

  • Direct in-process .NET interop. pbi-cli loads bundled Microsoft Analysis Services Tabular Object Model (TOM) and ADOMD.NET client assemblies into the Python process via pythonnet / clr-loader. See src/pbi_cli/core/dotnet_loader.py and src/pbi_cli/core/tom_backend.py. The bundled DLLs live in src/pbi_cli/dlls/ and are Microsoft binaries redistributed under the Microsoft Software License Terms for Microsoft Analysis Management Objects (AMO) and Microsoft Analysis Services - ADOMD.NET. See THIRD_PARTY_LICENSES.md and NOTICE for details.
  • Local-only connection. pbi-cli connects to Power BI Desktop's embedded Analysis Services instance over a loopback TCP port that Desktop binds at launch. pbi-cli does not open any network sockets for inbound traffic and does not communicate over the public network.
  • No credentials persisted. Connection metadata (port, workspace path, model name) is stored at ~/.pbi-cli/connections.json. No tokens, passwords, or session credentials are written to disk. The file should have user-only read/write permissions.
  • Report-layer commands are fully offline. pbi report, pbi visual, pbi filters, pbi bookmarks, pbi format, and pbi theme operate on PBIR JSON files on disk. They do not require pbi connect and do not touch the Power BI Desktop process.

Global Configuration Modifications

pbi-cli integrates with Claude Code by writing to the user's global Claude configuration directory. Users should be aware of exactly which files are modified and when. This section is authoritative; if behavior diverges from the description below, please file a security advisory.

Files written

Path Written by Contents
~/.claude/CLAUDE.md pbi-cli skills install Appends a block wrapped in <!-- pbi-cli:start --> / <!-- pbi-cli:end --> markers that lists the 12 bundled skills and their trigger conditions. Source: src/pbi_cli/core/claude_integration.py.
~/.claude/skills/power-bi-*/ pbi-cli skills install Copies the 12 bundled SKILL.md files from src/pbi_cli/skills/ so Claude Code discovers them. Source: src/pbi_cli/commands/skills_cmd.py.

No other paths under ~/.claude/ are read or modified. pbi-cli does not access user conversation history, project memory files, unrelated skills, or any other Claude Code state.

When it happens

  • pbi-cli skills install — the explicit install command (3.10.3+). Before writing anything, the command displays the exact paths it will modify and requires the user to confirm. Passing --yes / -y skips the prompt for non-interactive use.
  • pbi-cli skills uninstall — removes the skill files and, when removing all skills, cleans up the CLAUDE.md block between its marker comments.
  • pbi connect — connects to Power BI Desktop only. It does not write to ~/.claude/. On a successful connection it checks whether skills are installed and, if not, prints a one-line tip: Run 'pbi-cli skills install' to register pbi-cli skills with Claude Code.

Opt-out

Claude Code integration is fully opt-in as of 3.10.3. Simply do not run pbi-cli skills install and ~/.claude/ is never touched.

To remove a previously installed integration, run:

pbi-cli skills uninstall

Why this matters

~/.claude/CLAUDE.md is Claude Code's global instruction file and is loaded into every Claude Code session across every project on the machine. Modifying it affects Claude's behavior everywhere, not just for Power BI work. The pbi-cli block is bounded by comment markers so it can be removed cleanly, but users on multi-tenant or sensitive machines should be aware of this before running pbi-cli skills install.

Bundled Binaries

pbi-cli-tool ships Microsoft Analysis Services client library DLLs inside the PyPI wheel under src/pbi_cli/dlls/. These are unmodified Microsoft binaries redistributed under Microsoft's own license terms, not under MIT. See THIRD_PARTY_LICENSES.md and NOTICE at the repo root for full terms and attribution.