Use the latest version of the repository main branch.
| Version | Supported |
|---|---|
| latest | ✅ |
| < 1.0 | ❌ |
We take a "Local-First" and "Fail-Safe" approach to security.
- Client-Side Storage: API keys are stored exclusively in your browser's
localStorage. They are never saved to a database or disk on the server. - Transmission: Keys are transmitted via encrypted headers (
AuthorizationorX-Poe-Api-Key) directly to the AI provider (via the local proxy). - No Logging: The server is designed to act as a stateless pass-through for authentication. Keys are not logged.
- Strict Schemas: We use Zod schemas to narrowly define and validate all inputs (e.g., file types, JSON structures).
- Sanitization Pipelines:
- LaTeX Injection: All AI output passes through
sanitizeLatexOutput()to strip potential command injections or leaked formatting. - Export Safety: Before download, files are processed by
sanitizeLatexForExport()to ensure compilation safety.
- LaTeX Injection: All AI output passes through
- Local Environment: The application is designed to run locally or in an isolated container.
- Ephemeral Storage: Uploaded documents are processed in temporary directories and validated for MIME types (
application/pdf,text/plain).
Please open a GitHub Issue with the label security.
- Open a new issue.
- Describe the vulnerability in detail.
- Provide steps to reproduce.
- We will review it within the standard open-source contribution cycle.