If you discover a security vulnerability in @oni.bot/core, please report it responsibly:

1. Do not open a public GitHub issue
2. Email security@oni.bot with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)
3. You will receive acknowledgment within 48 hours
4. A fix will be released within 7 days for critical issues

As of v1.2.0, the framework includes comprehensive security hardening from an automated bug pipeline that found and fixed 90+ vulnerabilities:

Input validation & injection prevention:

• All filesystem operations validate paths against traversal attacks and strip null bytes
• CLI commands use execFileSync (array args) instead of shell interpolation
• deepMerge and config loaders reject prototype pollution payloads (__proto__, constructor, prototype)
• Mermaid diagram generation escapes bracket injection in node labels
• LLM-generated skill content is validated before disk writes

Network & API security:

• All model factories (anthropic, openai, openrouter, google, ollama) validate URL schemes to prevent SSRF and API key exfiltration
• A2A server enforces CORS preflight, Content-Type validation, and 1MB body size limits
• Raw API response bodies are never exposed in error messages — generic status codes only
• API key presence is validated at factory construction time (fail-fast)

Access control:

• checkAllowedPath() returns and uses the resolved path for I/O (closes TOCTOU race)
• Empty allowedPaths throws instead of silently allowing all filesystem access
• Permission hooks fail-closed on error and timeout for security-critical events
• Safety gate uses strict boolean equality for approval checks

Resource limits:

• MCP StdioTransport and LSP client enforce max buffer sizes to prevent OOM
• ExperimentLog capped at 1,000 records; DeadLetterQueue at 100 per thread
• crypto.randomUUID() used for all security-sensitive IDs (replaces Math.random)

@oni.bot/core provides a tool execution framework. The framework itself does not execute arbitrary code, but user-defined node functions and tools can. Users are responsible for:

• Validating tool inputs before execution
• Using the built-in Permissions guardrail to restrict tool access
• Implementing appropriate sandboxing for untrusted tool code

API keys for model providers (OpenAI, Anthropic, etc.) are protected by:

• Construction-time validation — missing keys throw immediately
• URL scheme validation — prevents exfiltration via malicious baseUrl
• Error message sanitization — raw API responses never surface in errors
• Users should still store keys in environment variables and rotate regularly

The BudgetTracker guardrail provides cost limits but should not be the sole control:

• Set conservative budget limits
• Monitor usage through the telemetry/audit system
• Implement server-side rate limiting for production deployments

Checkpoint data may contain sensitive state. When using persistent checkpointers:

• Use encrypted storage for SQLite/PostgreSQL backends
• Implement TTL-based cleanup for old checkpoints
• Restrict access to checkpoint storage
• Redis operations use atomic Lua scripts to prevent partial writes

The guardrails module provides content filters (PII, topic). These are best-effort:

• Do not rely solely on built-in filters for compliance
• Layer additional filtering for sensitive domains (healthcare, finance)
• Audit filter effectiveness regularly
• PII regex patterns are stateless (no /g flag) for concurrency safety

@oni.bot/core ships with zero runtime dependencies. Optional peer dependencies:

• better-sqlite3 — for SQLite checkpointing (optional)

This minimizes supply chain attack surface.