Report security vulnerabilities privately via email to security@synapt.dev. Do not open a public GitHub issue.

We will acknowledge receipt within 4 hours during business hours (US Eastern). For confirmed vulnerabilities in published releases, we target a patch release within 48 hours of confirmation.

extract is a pure computation library. It builds prompts from text, validates JSON documents against the SynaptExtraction IL schema, and runs a deterministic finalization pipeline. It does not:

• Make network requests
• Access the filesystem (beyond reading bundled prompt fragments at import time)
• Execute user-supplied code
• Store or transmit credentials

The proposed extract() callback architecture (target: v0.4.0, see docs/callback-signature.md) will delegate all network operations to the caller. The design ensures synapt never sees API keys, auth tokens, or user credentials. The caller will own:

• LLM API calls (via callLlm callback)
• Embedding API calls (via getEmbedding callback)
• Retry logic, rate limiting, and fallback providers
• Credential management and rotation

Note: The callback API is not exported in v0.3.x. The types and extract() function described in docs/callback-signature.md are proposed; implementation ships in v0.4.0.

The following APIs MUST NOT appear in extract's source code. CI enforces this via best-effort regex scanning of source, compiled dist, and packed artifacts. The scanner catches direct usage, common obfuscation patterns (computed property access, string concatenation, array .join(), base64 decode, Reflect.get, Function() calls, importlib), and blocks unlisted runtime dependencies. Full AST-aware scanning (TypeScript compiler API + Python ast module) is planned for v0.4.0.

• fetch, XMLHttpRequest, WebSocket
• node:net, node:http, node:https, node:http2
• Deno.connect, Deno.dial, Deno.listen
• Dynamic import() of network-capable modules
• child_process, node:child_process
• eval, new Function()

Any PR introducing a forbidden API is a security-relevant change and requires explicit review.

Every npm release is published with Sigstore provenance via GitHub Actions OIDC. Verify provenance:

npm audit signatures

This confirms the published package was built from the source commit in this repository by the CI workflow, not by a human.

PyPI releases use trusted publishing via GitHub Actions OIDC. The publishing workflow is the only entity authorized to upload releases.

Each GitHub Release includes a CycloneDX SBOM (sbom.cdx.json) listing all dependencies included in the npm package.

The CI pipeline verifies build determinism on every push:

• npm: npm pack is run twice and SHA256 checksums are compared (byte-identical)
• Python wheel: python -m build is run twice with a fixed SOURCE_DATE_EPOCH and wheel checksums are compared (byte-identical)
• Python sdist: content-equivalent only. Setuptools embeds wall-clock timestamps in gzip/PAX headers, a known upstream limitation. The unpacked contents are identical; the .tar.gz wrapper bytes may differ.

You can reproduce a release locally:

# npm
cd packages/ts && npm ci && npm run build && npm pack
sha256sum *.tgz

# Python (wheel)
cd packages/python
cp -r ../../prompts src/synapt_extract/prompts
cp -r ../../schemas src/synapt_extract/schemas
SOURCE_DATE_EPOCH=1704067200 python -m build
sha256sum dist/*.whl

If a compromised release is confirmed:

1. Unpublish the affected version from npm and PyPI within 1 hour
2. Post a GitHub Security Advisory with affected versions and remediation
3. Publish a patch release with the fix
4. Notify known consumers (Conversa and any registered downstream integrators)