If you believe you have found a security vulnerability in apfel, please report it responsibly. Do NOT file a public GitHub issue.

Preferred: Use GitHub's private vulnerability reporting: https://github.com/Arthur-Ficial/apfel/security/advisories/new

Alternative: Email fe at f19n dot com with:

• Description of the vulnerability
• Steps to reproduce
• Expected vs actual behavior
• Your apfel version (apfel --version)

• Acknowledgment: within 3 business days
• Assessment: within 10 business days
• Fix (if confirmed): target 30 days, may vary by severity

apfel runs 100% on-device. There are no cloud calls for inference. The security surface is:

• HTTP server (apfel --serve) - OpenAI-compatible API on localhost
• MCP tool execution (--mcp) - subprocess spawning and IPC
• CLI argument parsing - flag handling and file reading (-f)
• Origin validation - CORS and CSRF protection for the server

Issues in Apple's FoundationModels framework itself should be reported to Apple: https://developer.apple.com/bug-reporting/

• Server binds to localhost only by default
• Origin validation rejects non-localhost requests unless --permissive is set
• Bearer token authentication available via --token or APFEL_TOKEN
• --permissive and --dangerous-allow-all-origins require explicit opt-in
• No secrets stored on disk; tokens are passed via environment variables or flags