If you find a security vulnerability in LLMKit, please report it responsibly:
- Do not open a public GitHub issue
- Email the maintainer through the GitHub profile or use GitHub Security Advisories
- Include steps to reproduce and potential impact
We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.
Encryption: Provider API keys are encrypted at rest with AES-GCM. User API keys are hashed with SHA-256 before storage.
Authentication: All proxy API calls require a valid API key via Authorization: Bearer header. Dashboard uses Clerk for user authentication.
Data boundaries: The MCP server's local tools (llmkit_cc_*) never transmit data. Proxy tools only send request metadata (model, tokens, cost), never prompt content or completions.
Infrastructure: Proxy runs on Cloudflare Workers (edge, no persistent server). Database on Supabase with Row Level Security enabled on all tables. Dashboard on Vercel with Clerk SSO.
CI/CD: Automated secret scanning (gitleaks), security linting (semgrep), and dependency auditing on every push.
| Version | Supported |
|---|---|
| 0.3.x | Yes |
| < 0.3 | No |
This policy covers the @f3d1/llmkit-mcp-server npm package and the hosted proxy at llmkit-proxy.smigolsmigol.workers.dev.