Pre-1.0 releases receive security fixes on the latest minor only.

Please do not open a public GitHub issue for security reports.

Instead, open a private security advisory at:

https://github.com/hinanohart/subjunctor/security/advisories/new

We aim to acknowledge within 7 days and to ship a patched release within 30 days for high-severity reports.

• Token-budget contract bypass that allows unbounded LLM spend.
  • Known v0.1.x limitation (documented, not a vulnerability): only candidate.tokens is debited against the ledger; internal probe / estimator calls are not. Operators handling adversarial input streams SHOULD share a single BudgetLedger (via ledger: in GateConfig) for per-agent cumulative capping, AND set a defensive hard_limit_calls, AND add an upstream rate limit. Internal-probe budgeting lands in v0.2.x.
• Estimator / probe code paths that crash the host process on adversarial input.
• Adapter code paths (openaiAdapter, anthropicAdapter) that leak credentials from the injected client into log output or thrown error messages.
• Verdict.reason leaking secrets via internal_error:<class>:<message>. The gate sanitizes obvious patterns (sk-..., Bearer ..., Authorization: ...) before placing them in reason, but the SDK that raised the error may still embed sensitive context in its own error payload — operators piping verdicts to public logs SHOULD post-filter.
• JSONL event logger paths writing outside the configured file (path traversal).

• The accuracy of the underlying LLM. subjunctor is a gate, not a hallucination eliminator.
• The behaviour of any third-party LLM SDK that the user injects via CompletionFn.
• Threshold-tuning: choosing tau_u, tau_s, tau_a is the user's responsibility.
• CLI-supplied file paths. The CLI runs with operator privileges and reads any path the operator provides (e.g. subjunctor analyze /var/log/x.jsonl).
• Development dependencies (vitest, @vitest/coverage-v8, transitive esbuild). npm audit --omit=dev is clean on every release and CI gates on it; npm audit (including dev deps) currently reports 6 moderate advisories under esbuild dev-server — these do not ship to consumers who only npm install subjunctor. See CI logs for the current snapshot.

• The package has zero runtime credential handling. The user injects CompletionFn; subjunctor never reads environment variables or token files. (This is minimum-trust DI, not an object-capability pattern.)
• JsonlEventLogger opens a single file path supplied by the user; no globbing, no shell. Writes use appendFileSync and are best-effort durable (no fsync(2)).
• npm audit --omit=dev is clean on every release; CI gate enforces it.
• The gate is fail-closed: invalid BudgetConfig, missing completion, and a throwing on_event sink all yield verdict escalate, not uncaught exceptions. Covered by tests in test/gate.test.ts.