Please report security issues privately rather than opening a public issue:
- Use GitHub's "Report a vulnerability" (Security → Advisories) on this repository, or
- email the maintainer (see the GitHub profile for
stozo04).
Include steps to reproduce and the impact. You'll get an acknowledgement as soon as possible, and a fix or mitigation will be coordinated before any public disclosure.
This tool authenticates to your personal Speediance account. Treat these as secrets:
config.jsonstores your email and password in plaintext.- The token cache stores a live session token (written with
0600permissions where supported). By default it lives in your OS user-cache directory (speediance/token.jsonunder%LocalAppData%on Windows,~/.cacheon Linux,~/Library/Cacheson macOS) — deliberately outside the working directory so a routinegit add -Acan't commit it, and in the non-roaming cache dir (not the roaming config dir) so a live credential isn't synced across machines. Override the path withSPEEDIANCE_TOKEN_CACHEor thetoken_cache_pathconfig key;config pathshows where it resolved. A token left by an older version in a working-directory.token.jsonis relocated to the per-user location on first run. .envmay store the same credentials.
These are gitignored and must never be committed. For agents/headless use, prefer environment
variables (SPEEDIANCE_EMAIL / SPEEDIANCE_PASSWORD) over an on-disk file.
This is an unofficial client for a reverse-engineered API. Use it only with your own account and data, at your own risk.
Only the latest released version receives fixes.