We actively maintain security fixes for the following versions:

Do not open a public GitHub issue for security vulnerabilities.

If you discover a security vulnerability in Peaky Peek, please report it responsibly:

1. Email: Send details to the maintainers via the contact listed on the GitHub profile.
2. Subject line: [SECURITY] Peaky Peek – <brief description>
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 14 days for critical issues.

This policy covers:

• The peaky-peek SDK package
• The peaky-peek-server package and its REST API
• The Peaky Peek web UI

• Authentication and authorization flaws
• Data exposure (agent traces, session data, LLM inputs/outputs)
• SQL injection or other injection attacks
• Insecure defaults that expose sensitive data
• Dependency vulnerabilities with direct exploitability

• Issues in third-party frameworks (LangChain, OpenAI, etc.) — report those upstream
• Bugs without security impact
• Theoretical vulnerabilities without a realistic attack path

Peaky Peek is local-first by default. If you deploy the server publicly, take note:

• API authentication: Enable API key authentication (AUTH_ENABLED=true) — do not expose the server without auth
• Trace data: Agent traces may contain sensitive prompts, tool outputs, or PII — treat the database accordingly
• Environment variables: Never commit .env files containing secrets; use .env.example as a reference only
• Network exposure: Bind the server to localhost unless you intend public access; use a reverse proxy with TLS for production

• GitHub Actions runs gitleaks on pushes to main, pull requests targeting main, and manual dispatches.
• This is intended to catch committed credentials, tokens, and private-key material before they land on the default branch.
• Local runtime files such as data/, traces/, and .env should remain untracked; the scan complements .gitignore, it does not replace it.

You can also run the same scanner locally if you have gitleaks installed:

gitleaks git --verbose .

We follow coordinated disclosure: we ask that you give us reasonable time to patch before any public disclosure. We will credit reporters in the release notes unless you prefer to remain anonymous.