@takk/agenticstash is a stable (1.0.0) library for deterministic record and
replay of agent runs. We take security reports seriously and aim to acknowledge
each one within two business days.
Each published version follows strict SemVer (see SPEC.md section 5 and .github/RELEASING.md). Only the latest minor of the current major receives security patches; an older major receives critical-CVE fixes for 6 months after the next major lands.
| Package | Supported |
|---|---|
@takk/agenticstash |
current latest dist-tag |
Please do not file public GitHub issues for security problems. Send reports
to davcavalcante@proton.me (preferred) or say@takk.ag (Takk relay),
with the subject line beginning [SECURITY].
Include, at minimum:
- Affected version (
npm ls @takk/agenticstash). - Reproduction steps or a minimal proof-of-concept.
- Impact assessment (what an attacker can achieve).
- Any suggested mitigation.
If your report involves a vulnerability in a third-party peer dependency, please also link the upstream advisory (CVE, GHSA, etc.) so we can coordinate the disclosure.
PGP / signed reports are welcome but not required. If you need an out-of-band channel, ask in the first message and we will propose one.
- Acknowledgement within 2 business days.
- Triage and severity assignment within 7 days.
- Fix targeted for the next release; critical issues ship as an out-of-band patch on the affected minor.
- Coordinated disclosure: the reporter is credited in the changelog and advisory unless they request anonymity.
Findings in any of the following are in scope:
- Recorded-data exposure. A recording can contain whatever you pass through
it (prompts, tool payloads, environment reads). The
redacthook and theDROPsentinel exist to keep secrets and PII out of a recording (see PRIVACY.md). Any path that leaks a value the redactor was supposed to strip, or any way to bypass a configured redactor, is in scope. - Seal integrity. The integrity seal is a SHA-256 hash chain over the
recording. Any way to modify a recording's events, values, order, or id
without changing the root that
verifyRecordingrecomputes is in scope. - Silent replay divergence. Any way to make the replayer serve a value that does not match the recording without surfacing it as a divergence (for example an event-identity collision) is in scope, since silent substitution defeats the debugging and audit guarantees.
- Input handling. Crashes, prototype pollution, or unbounded memory growth
when
decodeRecordingparses a hostile recording file, and path traversal in the CLI write path (fork --out,seal --out) that lets a recording cause a write outside the intended location. - Supply chain. Tarball contamination, compromised npm scope, or a published artifact whose provenance attestation does not match the source commit.
- The custody of secrets before they reach the recorder (your environment, your secret manager) and the data you choose to record without a redactor; that is the operator's responsibility.
- The integrity seal is tamper-evident, not a digital signature: it proves a recording matches a trusted root, not who produced it. Claims of forging authorship without a compromised root are out of scope; pair the root with your own signing for non-repudiation.
- Theoretical attacks against the cryptographic primitive used for sealing (SHA-256 via Web Crypto); report those upstream.
- Denial of service via unbounded inputs against your own application; recording size and retention remain the operator's responsibility.
- Zero required runtime dependencies. The attack surface from transitive
dependencies is eliminated; optional peers are sibling
@takkpackages you install explicitly. - Provenance. Every release is published with
npm publish --provenance(SLSA attestation by GitHub Actions). Verify withnpm view @takk/agenticstash@<version> --json | jq .dist.attestations. - Lockfile committed.
pnpm-lock.yamlis tracked in git for reproducible installs.