Currently, only the latest version of assayer is supported for security updates.

We take the security of assayer seriously. If you find a security vulnerability, please do not open a public issue. Instead, please report it via GitHub's private vulnerability reporting.

Include a description of the issue, steps to reproduce, and the version affected. We aim to respond to all reports within 7 days.

assayer is a command-line tool, not a network service. The relevant security surface includes:

• API Key Management: assayer stores API keys locally in ~/.assayer/config.json. Access to this file should be restricted to the local user.
• Provider Integrations: API keys are only transmitted to the respective LLM providers (OpenAI, Anthropic, Google) during request execution. We do not store or transmit keys to any other third-party servers.
• Local Data Export: When using --output, assayer writes results to the local filesystem. Ensure you have the necessary permissions for the target directory.
• Dependency Security: assayer relies on third-party libraries like litellm and httpx. If a vulnerability is found in these dependencies, please report it to the respective upstream maintainers and notify us so we can update our pins.

• Environment Variables: For enhanced security, you can use environment variables (e.g., OPENAI_API_KEY) instead of the local config file. Environment variables always take precedence.
• Minimal Permissions: Use API keys with the minimum necessary scopes required for your prompts.
• Secure Storage: Ensure your home directory and the ~/.assayer/ folder have appropriate filesystem permissions (e.g., chmod 700 ~/.assayer).