If you discover a security issue in Calder, please report it privately:
- Open a GitHub Security Advisory, or
- Email the maintainer via the contact listed on the GitHub profile.
Please do not open public issues for exploitable vulnerabilities.
Security fixes are applied to the latest main branch and the most recent release.
- Never commit
.env, API keys, tokens, PEM private keys, orcredentials.json. - Use
.env.exampleas a template only; copy to.envlocally (gitignored). - Provider credentials belong in your OS login shell or user-level CLI config (
~/.claude,~/.codex, etc.), not in the repository.
bin/release-checksums.jsonpins SHA-256 hashes for release assets consumed bybin/calder.js.- Regenerate checksums during release with
npm run checksums:generate -- <assets-dir> <asset-files...>. - Set
CALDER_REQUIRE_CHECKSUM=1to refuse downloads without a pinned checksum.
CI and local hooks run:
npm run audit:secrets— scan tracked files for accidental secretsnpm audit --omit=dev --audit-level=high— production dependency advisories- ESLint, tests, and structure guardrails