Security policy
Supported versions
| Version | Supported |
|---|---|
| 0.1.x | yes |
Reporting a vulnerability
Please do not open a public GitHub issue for security vulnerabilities. Public issues can expose users to risk before a fix is available.
This project is maintained by a single developer. Use one of the private channels below.
Preferred: GitHub Private Vulnerability Reporting
Report through GitHub’s private vulnerability form:
- Open github.com/arcpx-eng/arc-dag
- Open the Security tab
- Click Report a vulnerability
Submissions are visible only to the maintainer. Use this channel to discuss and resolve the issue before any public disclosure.
Direct link: Report a vulnerability
Requires private vulnerability reporting to be enabled on the repository.
Alternative: private email
If you cannot use GitHub’s form, email the repository owner privately. Do not CC public mailing lists or post details on social media.
What to include
- Description of the issue
- Steps to reproduce
- Affected version(s)
- Impact assessment (if known)
- Any suggested fix or mitigation (optional)
I will acknowledge receipt and work on a fix or coordinated disclosure as appropriate.
User responsibilities
- API keys: Pass LLM credentials via
GraphEngine({ llm: { apiKey, … } })from environment variables or secret managers — never commit them into pipeline JSON or checked-inglobalSettingsfiles. See LLM configuration. - Pipeline JSON: Treat exported graphs as configuration that may contain prompts and URLs; review before sharing.
- nodeExecutor: You control all network calls; audit handlers that fetch external URLs or execute code.
Scope
This library schedules DAG execution locally in your process. It does not authenticate users, sandbox nodeExecutor code, or validate remote URLs. Those concerns belong in your application layer.