Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Seaus-tech/Aurora-Shell/llms.txt

Use this file to discover all available pages before exploring further.

Aurora Shell is designed with a clear separation between local credential storage and remote communication. PINs and session data are stored locally using platform-appropriate mechanisms, account passwords are never transmitted in plain text, and all outbound network requests are made to a fixed set of known endpoints. This page documents how each security-sensitive area works and which versions receive ongoing security updates.

Supported Versions

Only the versions listed below receive security patches. If you are running an unsupported version, you should update to a supported release before reporting any vulnerabilities.
VersionSecurity Updates
5.1.x✅ Supported
5.0.x❌ Not supported
4.0.x✅ Supported
< 4.0❌ Not supported

PIN / Password Storage

Aurora Shell supports an optional terminal PIN that is requested on every new session. The storage mechanism differs by platform: macOS — PINs are stored securely in the macOS Keychain using the following command during setup: 
security add-generic-password -a "$USER" -s "aurora-shell-pin" -w "$PIN"
The PIN is stored under the service name aurora-shell-pin and accessed by the Aurora theme at session start via security find-generic-password. Access to the Keychain item is controlled by macOS; other applications cannot read it without user authorization. Windows — PINs are written in plain text to the settings file at: 
~\.aurora-shell_files\aurora-shell_settings.ps1
File-level access is governed by the Windows operating system and your user account permissions. Because the PIN is stored in plain text on Windows, you should use a strong system login password to protect access to this file, and avoid reusing a PIN that matches any sensitive credentials.

Account Password Hashing

Aurora Accounts use password-based authentication. Before any credential is sent over the network, the raw password is hashed client-side using SHA-256: 
echo -n "$password" | shasum -a 256 | awk '{print $1}'
Only the resulting hash is included in the JSON payload sent to the Aurora Accounts API. The raw password is never transmitted or stored — not locally, and not on the server. This applies to both account creation and login requests.

Network Requests

Aurora Shell communicates with the following external URLs. No other outbound connections are made during normal operation:
EndpointPurpose
https://aurora-accounts.yash-behera.workers.devAurora Account login, creation, and profile sync
https://raw.githubusercontent.com/Seaus-tech/Aurora-Shell/Version checks on session start and installer downloads for updates
https://ollama.com/install.shOllama installation, only if the AI assistant feature is used
The version check at session start is a read-only curl request to the raw GitHub content URL and does not transmit any local data. Account sync requests include your username and password hash only.

Reporting Vulnerabilities

If you discover a security vulnerability in Aurora Shell, please do not open a public GitHub issue. Instead, use GitHub’s private security advisory system to disclose the vulnerability responsibly:
  1. Go to https://github.com/Seaus-tech/Aurora-Shell/security/advisories
  2. Click “New draft security advisory”
  3. Fill in the details of the vulnerability
When submitting a report, please include:
  • A clear description of the vulnerability and its potential impact
  • The affected version(s) and platform (macOS / Windows)
  • Steps to reproduce the issue or a proof-of-concept if available
  • Any suggested mitigations or fixes, if known
You can expect an initial acknowledgement within a few days of submission. If the vulnerability is accepted, a fix will be coordinated before any public disclosure. If the report is declined, you will receive an explanation.
Windows stores the Aurora PIN in a plain text settings file (aurora-shell_settings.ps1). Do not use a PIN that matches any sensitive credentials such as your system login password, banking PIN, or account passwords. If you are working in a shared or sensitive environment, macOS Keychain storage is strongly recommended over the Windows plain-text approach.

Build docs developers (and LLMs) love

Get started for freeTalk to us