Currently, tex-assist-coding is in active development. Security updates are provided for:

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@sonotheia.com

When reporting a vulnerability, please include:

1. Type of vulnerability (e.g., XSS, SQL injection, dependency vulnerability, etc.)
2. Full paths of affected source files
3. Location of the affected code (tag/branch/commit)
4. Step-by-step instructions to reproduce the issue
5. Proof-of-concept or exploit code (if possible)
6. Impact of the vulnerability
7. Suggested fix (if you have one)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: Next release cycle

CRITICAL: Never commit API keys to version control

1. Use environment variables only

   export ANTHROPIC_API_KEY='your-key'
   export OPENAI_API_KEY='your-key'
   export GEMINI_API_KEY='your-key'
   

2. Secure storage

   • Use secret management tools (AWS Secrets Manager, HashiCorp Vault, etc.)
   • For local development, use .env files (ensure .gitignore includes them)
   • For CI/CD, use encrypted secrets

3. Key rotation

   • Rotate API keys every 90 days
   • Immediately rotate if compromised
   • Use different keys for dev/staging/prod

Regular Updates: Check for vulnerabilities

# Install safety
pip install safety

# Check dependencies
safety check

# Or use pip-audit
pip install pip-audit
pip-audit

Known Issues:

• Review pyproject.toml regularly
• Update dependencies with security patches
• Use dependabot for automated alerts

NEVER commit:

• API keys
• Passwords
• Private keys
• .env files
• Database credentials
• GitHub tokens
• Personal information

Use:

• Environment variables
• Secret management services (AWS Secrets Manager, HashiCorp Vault)
• .env.example for documentation (without real values)

This repository contains educational documentation and examples. When using examples:

1. Review before use: Always review example code before using in production
2. Remove hardcoded values: Replace any placeholder credentials
3. Validate inputs: Add input validation for production use
4. Error handling: Add proper error handling
5. Security headers: Add security headers for web examples

For documentation and examples:

1. No real credentials: Examples should never contain real API keys or passwords
2. Sanitized examples: Remove any sensitive information from code examples
3. Placeholder values: Use clear placeholders (e.g., YOUR_API_KEY_HERE)
4. Environment variables: Demonstrate proper use of environment variables

1. Input validation: Examples demonstrate proper input validation
2. API key isolation: Keys never logged or exposed in examples
3. Error handling: Examples demonstrate proper error handling
4. Type safety: Examples include type hints where applicable

• Examples require explicit API key setup
• No hardcoded credentials in examples
• Environment variable configuration demonstrated
• Minimal network exposure in examples

Before using examples in production:

• Review all example code
• Remove any hardcoded credentials
• Add input validation
• Add error handling
• Configure API keys securely
• Review dependencies for vulnerabilities
• Add security headers (for web examples)
• Sanitize any user-generated content
• Implement rate limiting (for API examples)

• Safety: Dependency vulnerability scanner
• pip-audit: Python package vulnerability auditor
• Bandit: Python security linter
• Trivy: Container vulnerability scanner

• OWASP Top 10
• Python Security Best Practices
• GitHub Security Best Practices
• FastAPI Security

For security concerns, contact: security@sonotheia.com

For general issues: https://github.com/doronpers/tex-assist-coding/issues

Last Updated: January 2026