Project Lethe is intended for authorized security testing and defensive WAF resilience validation.
Only use this tool on systems you own, administer, or have explicit written permission to test. Lethe's generation commands do not send network traffic and do not include payload packs, but generated variants may still be sensitive in the wrong context.
Profile mode can send bearer tokens, cookies, and custom headers to a URL you provide. Prefer environment-variable based options, avoid committing real tokens to config files, and only profile authenticated routes where testing is explicitly authorized.
AI planning can call Gemini, OpenAI, Claude, local providers such as Ollama, LM
Studio, LocalAI, or another OpenAI-compatible endpoint when you configure a
provider. Store only the provider, model, base URL, and API-key environment
variable name in .lethe.toml. Keep actual cloud API keys in your shell
environment. The direct --ai-api-key flag exists for quick local tests, but
it can land in shell history. Local providers do not require real API keys, but
you should still treat prompts and site profiles as sensitive testing context.
lethe auth save stores auth material temporarily in a local cache outside the
repository, usually ~/.cache/project-lethe/auth.json. It is plaintext local
storage with a TTL, so treat it like a sensitive file, keep TTLs short, and run
lethe auth purge when finished. Lethe writes the cache with 0600
permissions when the filesystem supports POSIX permissions.
HTTP discrepancy and stress-template features generate request templates only; Lethe does not send them. Keep stress settings bounded, prefer local labs for regex and inspection-window checks, and do not use generated templates to crash, exhaust, or degrade services.
Advanced novelty mode, stacked mutations, and polymorphic padding are bounded local generation features. They are intended for authorized normalization and parser-resilience testing, not for claiming real zero-day exploit generation or evading controls on third-party systems without permission.
If you find a vulnerability in Project Lethe itself, please open a private security advisory or contact the maintainer privately before publishing details.
Requests to add target scanning, automated exploitation, credential attacks, or WAF-specific bypass packs are out of scope for this project.