keeper is a secrets broker for autonomous agents — leases instead of raw keys. Vulnerability reports get priority attention.
Please do not open a public issue for security reports.
- Preferred: GitHub private vulnerability reporting — creates a private advisory visible only to maintainers.
- Email: support@askalf.org with
keeper securityin the subject.
You'll get an acknowledgement within 72 hours. Please include a minimal reproduction where possible.
keeper is pre-1.0: only the latest release receives security fixes; there are no maintenance branches.
Anything that breaks the core promise — agents get leases, never raw key material:
- The broker leaking raw secrets to a leaseholder (in responses, logs, or errors)
- Lease escalation: extending scope, TTL, or audience beyond what was granted
- The sanitizer failing to redact a secret pattern it claims to cover
- Audit-trail tampering or bypass