Skip to content

Security: davccavalcante/agenticstash

Security

SECURITY.md

Security Policy

@takk/agenticstash is a stable (1.0.0) library for deterministic record and replay of agent runs. We take security reports seriously and aim to acknowledge each one within two business days.

Supported versions

Each published version follows strict SemVer (see SPEC.md section 5 and .github/RELEASING.md). Only the latest minor of the current major receives security patches; an older major receives critical-CVE fixes for 6 months after the next major lands.

Package Supported
@takk/agenticstash current latest dist-tag

Reporting a vulnerability

Please do not file public GitHub issues for security problems. Send reports to davcavalcante@proton.me (preferred) or say@takk.ag (Takk relay), with the subject line beginning [SECURITY].

Include, at minimum:

  • Affected version (npm ls @takk/agenticstash).
  • Reproduction steps or a minimal proof-of-concept.
  • Impact assessment (what an attacker can achieve).
  • Any suggested mitigation.

If your report involves a vulnerability in a third-party peer dependency, please also link the upstream advisory (CVE, GHSA, etc.) so we can coordinate the disclosure.

PGP / signed reports are welcome but not required. If you need an out-of-band channel, ask in the first message and we will propose one.

Response process

  1. Acknowledgement within 2 business days.
  2. Triage and severity assignment within 7 days.
  3. Fix targeted for the next release; critical issues ship as an out-of-band patch on the affected minor.
  4. Coordinated disclosure: the reporter is credited in the changelog and advisory unless they request anonymity.

Threat model in scope

Findings in any of the following are in scope:

  • Recorded-data exposure. A recording can contain whatever you pass through it (prompts, tool payloads, environment reads). The redact hook and the DROP sentinel exist to keep secrets and PII out of a recording (see PRIVACY.md). Any path that leaks a value the redactor was supposed to strip, or any way to bypass a configured redactor, is in scope.
  • Seal integrity. The integrity seal is a SHA-256 hash chain over the recording. Any way to modify a recording's events, values, order, or id without changing the root that verifyRecording recomputes is in scope.
  • Silent replay divergence. Any way to make the replayer serve a value that does not match the recording without surfacing it as a divergence (for example an event-identity collision) is in scope, since silent substitution defeats the debugging and audit guarantees.
  • Input handling. Crashes, prototype pollution, or unbounded memory growth when decodeRecording parses a hostile recording file, and path traversal in the CLI write path (fork --out, seal --out) that lets a recording cause a write outside the intended location.
  • Supply chain. Tarball contamination, compromised npm scope, or a published artifact whose provenance attestation does not match the source commit.

Out of scope

  • The custody of secrets before they reach the recorder (your environment, your secret manager) and the data you choose to record without a redactor; that is the operator's responsibility.
  • The integrity seal is tamper-evident, not a digital signature: it proves a recording matches a trusted root, not who produced it. Claims of forging authorship without a compromised root are out of scope; pair the root with your own signing for non-repudiation.
  • Theoretical attacks against the cryptographic primitive used for sealing (SHA-256 via Web Crypto); report those upstream.
  • Denial of service via unbounded inputs against your own application; recording size and retention remain the operator's responsibility.

Supply-chain assurances

  • Zero required runtime dependencies. The attack surface from transitive dependencies is eliminated; optional peers are sibling @takk packages you install explicitly.
  • Provenance. Every release is published with npm publish --provenance (SLSA attestation by GitHub Actions). Verify with npm view @takk/agenticstash@<version> --json | jq .dist.attestations.
  • Lockfile committed. pnpm-lock.yaml is tracked in git for reproducible installs.

There aren't any published security advisories