Security

Security posture & disclosure.

{ai} engineering runs entirely on your machine and is built under its own security gates — here’s the posture, and how to report a vulnerability.

Posture

{ai} engineering runs entirely on your machine. There is no telemetry and no hosted control plane: your code, specs, and audit logs never leave your environment. Policies, skills, and the hash-chained NDJSON audit trail are versioned local files you own, so there is no vendor lock-in.

Built under its own gates

The framework is held to the same security checks it ships. Each release runs through:

  • [PASS]gitleaksstaged-diff secret scanning on every commit
  • [PASS]semgrepstatic analysis against the project ruleset
  • [PASS]SonarCloudcontinuous code-quality and security review
  • [PASS]Snykdependency vulnerability scanning
  • [PASS]SBOMsoftware bill of materials for each release
  • [PASS]signed provenancebuild provenance attested and signed

The audit trail is hash-chained NDJSON — tamper-evident and verifiable from the source.

Reporting a vulnerability

If you believe you’ve found a security issue, please report it privately so it can be addressed before public disclosure. Do not open a public issue for security reports.

[email protected]

Include affected version, reproduction steps, and impact where you can — it helps us triage faster.