Janus runs locally and handles sensitive material: LLM API keys, OAuth tokens, Telegram bot tokens and the contents of your machine. Please treat security reports responsibly.
Do not open a public issue for security problems. Instead, report privately via GitHub's "Report a vulnerability" button on the Security tab of this repository (Security → Advisories → Report a vulnerability).
Please include:
- a description of the issue and its impact;
- steps to reproduce (a minimal proof of concept if possible);
- the affected version or commit.
You will get an acknowledgement as soon as possible, and a fix or mitigation will be coordinated before any public disclosure.
- Secrets live only in the
JANUS_HOME/.envfile, created with0600permissions, and are injected into tool/MCP subprocesses at spawn time. - Secrets are never written to the MCP connector registry, logs or the README.
- Never paste real API keys, tokens or
.envcontents into issues or PRs.
This is pre-1.0 software; only the latest released version receives security fixes.