Skip to content

Security: davccavalcante/coryphaeus

Security

SECURITY.md

Security Policy

@takk/coryphaeus is a stable (1.0.0) library that composes frontier models as a coordinated team over an injectable client, with explicit budgets and an auditable agent graph. We take security reports seriously and aim to acknowledge each one within two business days.

Supported versions

Each published version follows strict SemVer (see SPEC.md and .github/RELEASING.md). Only the latest minor of the current major receives security patches; an older major receives critical-CVE fixes for 6 months after the next major lands.

Package Supported
@takk/coryphaeus 1.0.x (current latest dist-tag)

Reporting a vulnerability

Please do not file public GitHub issues for security problems. Send reports to davcavalcante@proton.me (preferred) or say@takk.ag (Takk relay), with the subject line beginning [SECURITY].

Include, at minimum:

  • Affected version (npm ls @takk/coryphaeus).
  • Reproduction steps or a minimal proof-of-concept.
  • Impact assessment (what an attacker can achieve).
  • Any suggested mitigation.

If your report involves a vulnerability in a third-party peer dependency, please also link the upstream advisory (CVE, GHSA, etc.) so we can coordinate the disclosure.

PGP / signed reports are welcome but not required. If you need an out-of-band channel, ask in the first message and we will propose one.

Response process

  1. Acknowledgement within 2 business days.
  2. Triage and severity assignment within 7 days.
  3. Fix targeted for the next release; critical issues ship as an out-of-band patch on the affected minor.
  4. Coordinated disclosure: the reporter is credited in the changelog and advisory unless they request anonymity.

Threat model in scope

Findings in any of the following are in scope:

  • Budget integrity. Any way to make the orchestrator dispatch a step that breaches the configured USD ceiling without raising BUDGET_EXCEEDED, any path that lets a non-finite cost or forecast slip past the guard, or any accounting error that under-reports a run's cost in the graph or the tally.
  • Audit integrity. Any way to make verifyChain return valid: true for a chain that was altered after sealing, any hash-chain construction that lets a forged entry pass, or any way to defeat the SHA-256 chaining. The seal is an integrity seal, not a signature: it proves a log was not altered after sealing, not who produced it, and that boundary is documented, not a vulnerability.
  • Tool and adapter input. Any way to make the coryphaeus_orchestrate tool or parseOrchestrateInput register an agent, swap the injected client, or otherwise mutate the host-fixed pool from model-supplied input, or any malformed tool input that bypasses validation and yields prototype pollution or an unbounded run.
  • Loaders and snapshots. Path traversal or any way to make the JSON loaders in @takk/coryphaeus/node read outside the path you pass them, or any malicious agent-roster, task, run, or snapshot file that bypasses the loader and fromSnapshot validation and yields a malformed descriptor, prototype pollution, or corrupted orchestration state.
  • Numeric integrity. Any way to drive a numerically invalid cost, forecast, or budget (NaN or Infinity) past the typed guards in the budget arithmetic or the cost pricing.
  • Supply chain. Tarball contamination, compromised npm scope, or a published artifact whose provenance attestation does not match the source commit.

Out of scope

  • The security or correctness of the provider or model behind the injected client. Coryphaeus never speaks a provider API; you inject the model caller, and the safety of that endpoint and its credentials is your concern.
  • The content of model outputs. Coryphaeus orchestrates black-box agents; it does not sanitize, validate, or defend against adversarial content the underlying models produce. Prompt-injection resistance of the composed models is a provider and application concern.
  • The quality of the agents, roles, or topology you configure. A poor arrangement produces a poor answer; that is a usage concern, not a vulnerability.
  • Exposure caused by a misconfiguration that removes the budget ceiling or sets it too high for your spend tolerance. The ceiling is yours to set.
  • Theoretical attacks against the cryptographic primitive used for the audit chain (SHA-256) and the Web Crypto implementation of the host runtime; report those upstream.

Supply-chain assurances

  • Zero required runtime dependencies. The attack surface from transitive dependencies is eliminated. Every @takk sibling is an optional peer dependency you install explicitly.
  • Node-free core. The core never speaks a provider API, and the audit seal uses the Web Crypto API (globalThis.crypto.subtle) rather than node:crypto. Only the optional @takk/coryphaeus/node loaders touch the Node standard library, and they only read the files you point them at.
  • Provenance. Every release is published with npm publish --provenance (SLSA attestation by GitHub Actions). Verify with npm view @takk/coryphaeus@<version> --json | jq .dist.attestations.
  • Lockfile committed. pnpm-lock.yaml is tracked in git for reproducible installs.

There aren't any published security advisories