| Version | Security fixes |
|---|---|
| 0.2.x | ✅ Active |
| < 0.2 | ❌ No longer supported |
Please do not open a public GitHub issue for security vulnerabilities.
Send a report to: security@nbsjunior.dev (or use GitHub Private Security Advisories).
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- (Optional) Suggested fix
You will receive a response within 72 hours. We aim to release a patch within 14 days of confirmation.
Todd of AIDLC handles API keys and tokens for external AI providers. In scope:
- Hardcoded secrets or tokens in source code
- Token leakage via IPC, logs, or telemetry
- Privilege escalation via the CLI daemon subprocess
- Malicious
.toddspect/config.yamlor spec files leading to code execution
Out of scope:
- Security of third-party AI provider APIs (Copilot, Claude, Cursor, etc.)
- Issues in vendored AI-DLC rules not introduced by this project
Todd of AIDLC stores API tokens exclusively in VS Code Secret Storage (system keychain) or environment variables. Tokens are:
- Never written to
.toddspect/config.yamlor any committed file - Redacted in all log output (
trace.tssanitisesgho_,ghp_,github_pat_,sk-ant-prefixes) - Passed to the CLI daemon via environment variables (not command-line arguments)