| Version | Supported |
|---|---|
| 1.0.x | β Yes |
Sift follows strict secret management practices:
- No secrets are committed to version control β verified via automated
git grepscans - All sensitive values are stored in
.env.local(gitignored) .env.examplecontains only placeholder variable names- Server-side Supabase operations use
SUPABASE_SERVICE_ROLE_KEYexclusively in API routes (never exposed to the client) - The
NEXT_PUBLIC_SUPABASE_ANON_KEYfollows Supabase's Row Level Security model and is safe for client-side exposure
- API Route Protection β All server-side API routes (
/api/*) handle errors gracefully without leaking stack traces or internal state - Input Sanitization β User search queries are parameterized through Supabase RPC calls (SQL injection safe)
- No Logging of Secrets β Console logs never contain API keys, tokens, or credentials
- Rate Limiting β OpenAI calls use
p-limitconcurrency control to prevent quota exhaustion - Embedding Security β Only top-K results are retrieved; the full dataset is never sent to any external API
If you discover a security vulnerability in Sift, please report it responsibly:
- Email: musbabaff@gmail.com
- Subject:
[SECURITY] Sift Vulnerability Report - Include: Steps to reproduce, potential impact, and suggested fix if possible
We will acknowledge receipt within 48 hours and provide a resolution timeline.
You can verify the repository is clean by running:
git grep -iE "sk-|api_key=|token=|secret=|password=" -- ":(exclude).env.example" ":(exclude)*.md"This should return zero results for any real credentials.