This document outlines security best practices for using and contributing to the Agentic Proposal Generator.
Anthropic API keys are sensitive credentials that must never be committed to version control.
-
Use Environment Variables (Recommended)
export ANTHROPIC_API_KEY='sk-ant-your-key-here'
-
Use .env Files (Local Development)
# Create .env file in project root echo "ANTHROPIC_API_KEY=sk-ant-your-key-here" > .env
-
Production Deployment
- Use secure environment variable management
- Consider using secrets management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
- Never hardcode keys in source code
- Rotate keys regularly (quarterly at minimum)
- Use separate keys for dev/staging/production
The project includes multiple layers of protection:
-
.gitignore Protection
# API Keys and secrets .env .env.* *.key *sk-ant-* *anthropic*key* secrets.json config.json credentials.json -
Runtime Validation
- API keys are validated before use
- Clear error messages when keys are missing
- No key logging or exposure in error messages
-
Pre-commit Hooks
detect-private-keyhook scans for common key patterns- Automatically blocks commits containing potential secrets
- Install with:
pre-commit install
-
CI/CD Security
- GitHub Actions never require API keys (mock tests only)
- Secrets stored in GitHub Secrets (encrypted)
- No keys in logs or artifacts
ACT IMMEDIATELY - Exposed keys can be found and abused within minutes.
-
Immediately revoke the key
- Go to Anthropic Console
- Delete the exposed key immediately
- Do this FIRST, before anything else
-
Generate a new key
- Create a replacement key
- Update your local environment
- Update production/staging environments
-
Clean Git history
# Remove from recent commit (if not pushed) git reset --soft HEAD~1 git reset HEAD .env git commit -m "Your commit message" # If already pushed, use filter-branch (use with caution) git filter-branch --index-filter \ 'git rm --cached --ignore-unmatch .env' HEAD # Force push (notify team first!) git push --force-with-lease
-
Monitor your Anthropic account
- Check usage logs for unauthorized access
- Enable spending limits
- Set up usage alerts
- Review recent API calls
-
Notify maintainers
- If pushed to public repository, notify maintainers
- Consider rotating shared keys
- Review security practices
-
Never share .env files
- Each developer should have their own API key
- Use
.env.exampleas template (no real keys) - Add
.envto global.gitignore
-
Use separate keys for different environments
- Development keys with strict usage limits
- Staging keys with moderate limits
- Production keys with appropriate permissions
- Label keys clearly in Anthropic Console
-
Regular key rotation
- Rotate development keys monthly
- Rotate production keys quarterly
- Document rotation in security calendar
- Test new keys before decommissioning old ones
-
Mock API calls in tests
- NEVER use real API keys in automated tests
- Use mock responses for predictable testing
- Mock tests are the default (tests/unit, tests/integration)
- Live tests only for pre-release validation
-
Sanitize logs
- Never log API keys or full API responses
- Redact sensitive information from debug output
- Use structured logging with key filtering
-
CI/CD Best Practices
- Mock tests run in CI (no API keys needed)
- Secrets stored in GitHub Secrets
- Never print environment variables in logs
- Use
continue-on-error: truefor safety checks only
Discovery call transcripts may contain sensitive business information:
-
No persistent storage
- Transcripts are processed in memory only
- No automatic caching of input content
- Claude API processes data according to their privacy policy
-
Output sanitization
- Generated proposals don't expose raw API responses
- Review proposals before sharing externally
- Consider data classification requirements
-
Data handling recommendations
- Review generated proposals before sharing
- Consider data classification requirements
- Implement appropriate access controls
- Follow your organization's data handling policies
- Be aware of information sent to third-party APIs
The project includes MCP tools that may access external data:
-
Tool Permissions
- MCP tools defined in
src/agentic_proposal_generator/mcp/tools.py - Review tool capabilities before deployment
- Limit tool permissions appropriately
- MCP tools defined in
-
External Data Access
- Company lookup tools may access public APIs
- No credentials stored in MCP configuration
- Review tool outputs before use
If you discover a security vulnerability:
-
Do NOT open a public issue
- Security issues should not be publicly disclosed
- Use private disclosure channels
-
Report through GitHub Security Advisories
- Go to Security tab → Report a vulnerability
- Provide detailed reproduction steps
- Include affected versions
-
Contact maintainers privately
- For urgent matters, contact repository owner directly
- Allow reasonable time for fix (90 days standard)
-
Responsible Disclosure
- Work with maintainers to verify fix
- Coordinate public disclosure timing
- Credit provided in security advisories
Report any of the following:
- API key exposure in code/commits
- Injection vulnerabilities
- Authentication/authorization bypasses
- Sensitive data exposure
- Dependency vulnerabilities
- Insecure configurations
- Input data: Discovery call transcripts contain confidential business information
- AI processing: Content is sent to Anthropic's API - review Anthropic's privacy policy
- Output data: Generated proposals may contain derived business insights
-
Review Anthropic's Terms of Service
- Understand data processing policies
- Ensure compliance with your organization's requirements
- Review commercial data usage terms
-
Implement appropriate controls
- Data classification policies
- Access logging and monitoring
- Retention and deletion policies
- Encryption in transit and at rest
-
Consider regulatory requirements
- GDPR (EU data protection)
- CCPA (California privacy law)
- Industry-specific compliance (HIPAA, SOX, PCI-DSS, etc.)
- International data transfer restrictions
-
Business Considerations
- Confidentiality agreements with customers
- Intellectual property protection
- Competitive information handling
- Client data protection obligations
- API keys stored securely (not in code)
- .gitignore configured properly
- No sensitive data in commit history
- Environment variables configured
- Access controls implemented
- Monitoring and alerting configured
- Spending limits set on API keys
- Pre-commit hooks installed
- Rotate API keys quarterly
- Review access logs monthly
- Update dependencies weekly (
uv sync) - Monitor for security advisories
- Audit .gitignore effectiveness
- Review user permissions
- Test incident response procedures
- Security training for team members
- No hardcoded secrets or API keys
- Input validation on user-provided data
- Error messages don't leak sensitive info
- Dependencies are up to date
- Security tests pass
- Bandit scan passes (no high-severity issues)
-
Keep dependencies updated
# Update dependencies uv sync --upgrade # Check for security vulnerabilities uv run safety check
-
Review dependency changes
- Check
uv.lockfor unexpected changes - Review security advisories for dependencies
- Test thoroughly after updates
- Check
-
Minimize dependencies
- Only add necessary dependencies
- Prefer well-maintained packages
- Review package maintainer reputation
- Anthropic Security Best Practices
- Claude API Documentation
- OWASP Top 10
- Git Security Documentation
- 12 Factor App - Config
- GitHub Security Best Practices
Remember: Security is a shared responsibility. Every contributor and user plays a role in keeping the project and its users secure.
- 1.0 (2025-01-05): Initial security guidelines for Agentic Proposal Generator