| Branch | Status |
|---|---|
behavior-monitoring |
✅ Active development |
main |
✅ Maintained |
Do not open a public GitHub issue for security vulnerabilities.
Please email a description of the issue to the repository owner via the contact information on the GitHub profile. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce
- Any suggested fix if you have one
You will receive a response within 72 hours. If the issue is confirmed, a fix will be prioritised and a patch released before any public disclosure.
The primary security-relevant surfaces in this project:
Ingest API (POST /metrics/ingest):
- The
X-API-Keyheader is checked against theMONITOR_API_KEYenvironment variable at request time (not at startup), so the key can be rotated without restarting. The endpoint returns 503 if the variable is unset, preventing accidental open ingestion. - Metric fields are range-validated by Pydantic before being written to
the database. Values outside
[0, 1]for rates and scores are rejected with HTTP 422.
Dashboard API (GET /dashboard/*, POST /dashboard/*):
- When the
MONITOR_DASHBOARD_KEYenvironment variable is set, all/dashboard/*routes require a matchingX-Api-Keyheader. An incorrect or missing key returns HTTP 401. - When the variable is unset the dashboard is unauthenticated - suitable for local development and deployments protected at the network layer (reverse proxy with Nginx/Cloudflare Access, VPN, etc.).
- The same header name (
X-Api-Key) and rotation semantics apply as forMONITOR_API_KEYon the ingest endpoint. Both keys can be rotated without restarting the server.
SQLite database (data/metrics/metrics.db):
- Local by default. WAL mode is enabled for concurrent access but there is no encryption. If the database contains sensitive inference data, encrypt at rest via filesystem-level encryption.
- If you expose the FastAPI server to a network, ensure
MONITOR_API_KEYis set and the server is behind a reverse proxy with TLS.
Prometheus endpoint (GET /metrics):
- Unauthenticated. Exposes operational metrics (trust score, F1, drift, decision counts). Restrict at the network layer in production.
Running pip-audit or safety against this project's dependencies is
recommended for scanning for known vulnerabilities. All direct dependencies
are pinned to compatible ranges in pyproject.toml.