| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take the security of this project seriously. If you discover a security vulnerability, please report it privately.
Do not file a public issue.
Instead, please report it via GitHub's private vulnerability reporting:
- Navigate to Security > Advisories > Report a vulnerability
- Provide a detailed description of the issue
- Never commit API keys to version control.
- Use environment variables (e.g.,
GEMINI_API_KEY) to provide credentials. - The
Debugimplementation forLlmClienthides the underlying API client entirely to prevent accidental exposure of credentials in logs. - Check generated logs to ensure no sensitive data is leaked before sharing them.
- This tool uses LLMs which can be susceptible to prompt injection. While we structure prompts carefully to separate instructions from user data, treat LLM outputs as untrusted.
- When using the
evalsuite, ensure input datasets are from trusted sources.
- Dependencies are automatically audited on Cargo.toml/Cargo.lock changes and weekly via GitHub Actions (see
.github/workflows/audit.yml). - Known issues:
number_prefix(viaindicatif) is unmaintained (RUSTSEC-2025-0119). This is a display-only dependency and considered low risk.