# Security Policy

## Supported Versions

We provide security updates for the following versions:

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability in @juanpprieto/lexicon-client, please report it responsibly:

### 🔒 Private Disclosure

**Please DO NOT create a public GitHub issue for security vulnerabilities.**

Instead, report security issues privately via:

1. **GitHub Security Advisories** (Preferred)
   - Go to https://github.com/juanpprieto/lexicon-client/security/advisories/new
   - Provide detailed information about the vulnerability

2. **Email**
   - Send details to: jpprietobaez@gmail.com
   - Include "SECURITY" in the subject line

### 📋 What to Include

When reporting a vulnerability, please include:

- **Description** of the vulnerability
- **Steps to reproduce** the issue
- **Potential impact** and attack scenarios
- **Suggested fix** (if you have one)
- **Your contact information** for follow-up

### ⏱️ Response Timeline

- **Initial Response**: Within 48 hours
- **Assessment**: Within 7 days
- **Fix Timeline**: Depends on severity
  - Critical: Within 7 days
  - High: Within 14 days
  - Medium/Low: Within 30 days

### 🛡️ Security Measures

This package implements several security best practices:

#### Supply Chain Security

- **NPM Provenance** - All published packages include build attestation
- **SLSA Level 3** - Supply chain security framework compliance
- **Dependency Scanning** - Automated vulnerability detection in dependencies
- **CodeQL Analysis** - Static security analysis on all code

#### Runtime Security

- **Input Validation** - All API inputs validated with Zod schemas
- **Error Handling** - Comprehensive error handling prevents information leakage
- **Network Security** - HTTPS-only connections (when available)
- **No Eval** - No dynamic code execution or eval usage

#### Development Security

- **Pre-commit Hooks** - Quality and security checks before commits
- **Dependency Review** - Automated review of dependency changes
- **Audit Scans** - Regular npm audit checks for known vulnerabilities

### 🔍 Security Considerations for Users

When using this library:

1. **Local API Only** - This library is designed for localhost connections only
2. **Network Exposure** - Do not expose Lexicon DJ's API to external networks
3. **Access Control** - Ensure only authorized applications can access the local API
4. **Update Regularly** - Keep the library updated to receive security patches

### 🚨 Known Security Limitations

- **Local Network Trust** - Assumes localhost connections are secure
- **No Authentication** - Relies on Lexicon DJ's local API security model
- **File System Access** - Can read/write track metadata through Lexicon DJ

### 📞 Contact

For security-related questions or concerns:

- **Security Team**: jpprietobaez@gmail.com
- **Maintainer**: jpprietobaez@gmail.com

---

Thank you for helping keep @juanpprieto/lexicon-client secure! 🔒