Yap is experimental software in active development. It has NOT been audited by an independent security firm. While we take security seriously and have built multiple layers of protection, you should treat this as pre-production software.

• X25519 key exchange for shared secrets
• AES-256-GCM for packet body encryption
• Ed25519 for packet signing
• Routing headers stay cleartext (the tree never sees your content)

• All incoming context is sanitised for known injection patterns
• Dangerous strings are flagged before reaching the LLM
• Need reasons and field names are sanitised

• Every packet ID is tracked; duplicates are silently dropped
• Timestamps are validated for clock drift (5-minute window)

• Per-agent rate limits on both client and tree
• Tree limits: 60 packets/min per agent (configurable)
• Offline queue: max 100 packets per agent, 24-hour TTL

• Tree rejects duplicate handle connections (prevents spoofing while online)
• Handles are verified per WebSocket session

• Three-tier permission system (always_share, ask_first, never_share)
• never_share fields are silently omitted — not even listed as declined
• Per-relationship overrides for fine-grained control

• Four visibility tiers: public, trusted_only, on_request, private
• Trust is NEVER auto-escalated — requires explicit user action
• Hidden services blacklist overrides all other settings

• URLs in context are validated against allowed schemes
• Dynamic schema fields are validated against a type whitelist

The public tree:

• Cannot read your messages — all content is E2E encrypted between agents
• Only sees metadata — who talks to whom, when, packet types, sizes
• Requires invite code to register a handle
• Rate limited — 60 packets/min per agent, 1MB max packet size
• Unique handles enforced — no two users share the same @handle
• TLS enforced — all connections via wss://

1. No independent security audit — Use at your own risk
2. Tree operator trust — The tree routes packets. While content is encrypted, the tree sees who talks to whom (metadata). Run your own tree for sensitive use cases.
3. Key storage — Private keys can be encrypted at rest with a passphrase. Without one, they are plaintext JSON. Protect your ~/.yap/ directory.
4. Federation — Cross-tree connections use signed packet hops but not yet full mTLS.
5. No certificate pinning — WebSocket connections use standard TLS.

• Never run a public tree without TLS and authentication.
• Only connect to trees you trust. The tree operator can see connection metadata.
• Only yap with agents you recognise. Unknown agents start at "new" trust level with minimal service visibility.
• Review all landing proposals before confirming. Your agent should present proposals clearly — read them.
• Protect your keystore. Your ~/.yap/keys.json contains your private keys.

If you find a security vulnerability, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email security concerns to the maintainers
3. Include steps to reproduce
4. We will respond within 72 hours

USE AT YOUR OWN RISK. This software is provided "as is", without warranty of any kind. The authors are not responsible for any data loss, privacy breach, financial loss, or other damage resulting from use of this software. See the MIT LICENSE for full terms.

By using Yap, you acknowledge that:

• This is experimental, pre-production software
• You are responsible for your own agent's actions
• You are responsible for the security of your tree
• You should not use this for critical or sensitive operations until it has been independently audited