Skip to content

Security: Targetly-Labs/flowllm

Security

SECURITY.md

πŸ”’ Security Guidelines for FlowLLM

⚠️ IMPORTANT: This is a PUBLIC repository

NEVER commit API keys, secrets, or sensitive data to this repository!

πŸ›‘οΈ Protected Files (Already in .gitignore)

The following files are automatically excluded from git:

  • βœ… .env - All environment files
  • βœ… .env.* - Any environment variant
  • βœ… *secret* - Any file with "secret" in the name
  • βœ… *key*.json - Any JSON file with "key" in the name
  • βœ… node_modules/ - Dependencies

πŸ”‘ How to Store API Keys Safely

1. Use Environment Variables (Recommended)

Create a .env file in the root or examples directory:

# .env (THIS FILE IS IN .gitignore)
OPENAI_API_KEY=your-openai-api-key-here
ANTHROPIC_API_KEY=sk-ant-...
GOOGLE_API_KEY=AIza...

Load in your code:

import 'dotenv/config'; // or require('dotenv').config();

const agent = defineAgent({
  provider: openai('gpt-4o'), // API key loaded from process.env
});

2. Never Hardcode Keys

❌ NEVER DO THIS:

const agent = defineAgent({
  provider: openai('gpt-4o', { 
    apiKey: 'your-openai-api-key-here' // NEVER!
  }),
});

βœ… DO THIS INSTEAD:

const agent = defineAgent({
  provider: openai('gpt-4o', { 
    apiKey: process.env.OPENAI_API_KEY
  }),
});

πŸ” Before Committing - Checklist

Run this checklist BEFORE every commit:

# 1. Check for accidentally committed secrets
git grep -i "sk-proj" # OpenAI keys
git grep -i "sk-ant" # Anthropic keys
git grep -i "AIza" # Google keys

# 2. Check .env files
git status | grep ".env"  # Should show nothing

# 3. Review staged files
git diff --staged

# 4. Use git-secrets (optional but recommended)
git secrets --scan

🚨 If You Accidentally Commit a Key

Act immediately:

  1. Revoke the key at the provider's dashboard
  2. Remove from git history: 
    git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch PATH/TO/FILE" \
  --prune-empty --tag-name-filter cat -- --all
  3. Force push (if already pushed): 
    git push origin --force --all
  4. Generate new keys and update your .env file

πŸ› οΈ Recommended Security Tools

1. git-secrets

Prevent committing secrets:

# Install
brew install git-secrets  # macOS
# or
git clone https://github.com/awslabs/git-secrets

# Setup
git secrets --install
git secrets --register-aws  # If using AWS
git secrets --add 'sk-[Pp]roj-[A-Za-z0-9]{32,}'  # OpenAI pattern
git secrets --add 'sk-ant-[A-Za-z0-9]{32,}'   # Anthropic
git secrets --add 'AIza[A-Za-z0-9_-]{35}'     # Google

2. Pre-commit Hooks

Create .git/hooks/pre-commit:

#!/bin/bash

# Check for common secret patterns
if git grep -qE '(sk-[Pp]roj-|sk-[Aa]nt-|AIza)' $(git diff --cached --name-only); then
    echo "❌ ERROR: Potential API key found in staged files!"
    echo "Please remove API keys before committing."
    exit 1
fi

# Check for .env files (except .env.example)
if git diff --cached --name-only | grep -qE '^\.env($|\.(?!example))'; then
    echo "❌ ERROR: .env file in staged changes!"
    echo "Make sure .env is in .gitignore"
    exit 1
fi

echo "βœ… Pre-commit checks passed"
exit 0

Make it executable:

chmod +x .git/hooks/pre-commit

πŸ“ Environment File Examples

Development (.env)

# Local development - NEVER COMMIT THIS FILE
OPENAI_API_KEY=your-openai-api-key-here
ANTHROPIC_API_KEY=sk-ant-your-real-key-here
GOOGLE_API_KEY=AIza-your-real-key-here

Template (.env.example)

# Template - SAFE TO COMMIT
OPENAI_API_KEY=your_openai_api_key_here
ANTHROPIC_API_KEY=your_anthropic_api_key_here
GOOGLE_API_KEY=your_google_api_key_here

πŸ” Additional Security Best Practices

1. Use Key Restrictions

Configure API key restrictions at provider dashboards:

  • OpenAI: Set rate limits, allowed models
  • Anthropic: Set usage limits
  • Google: Restrict by IP, HTTP referrer

2. Rotate Keys Regularly

  • Change API keys every 90 days
  • Revoke old keys immediately after rotation

3. Monitor Usage

  • Set up billing alerts
  • Monitor for unusual activity
  • Review API usage regularly

4. Development vs Production Keys

  • Use separate keys for dev and prod
  • Set lower limits on dev keys
  • Never use production keys in examples

5. Team Collaboration

  • Use a secrets manager (1Password, LastPass, AWS Secrets Manager)
  • Never share keys via Slack, email, or chat
  • Use environment-specific keys

πŸ“‹ CI/CD Security

For GitHub Actions or other CI/CD:

# .github/workflows/test.yml
name: Test

on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
      
      # Store secrets in GitHub Secrets
      - name: Run tests
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: npm test

Add secrets in GitHub: Repository Settings β†’ Secrets and variables β†’ Actions β†’ New repository secret

βœ… Quick Security Audit

Run this command to audit your repo:

# Check for any potential secrets
git log --all --full-history --source --remotes --all -- '*.env'
git log -p | grep -i "api.key\|apikey\|api_key"

# Check current files
find . -name "*.env" -not -path "./node_modules/*"
grep -r "sk-proj" . --exclude-dir=node_modules
grep -r "sk-ant" . --exclude-dir=node_modules

πŸ†˜ Emergency Response

If a key is exposed:

  1. Revoke immediately at provider dashboard
  2. Remove from git history (see above)
  3. Generate new key
  4. Check billing for unauthorized usage
  5. Update .env with new key
  6. Document the incident

πŸ“š Resources

Remember: Security is everyone's responsibility! πŸ”’

If you're unsure about something, DON'T commit it. Ask first!

There aren’t any published security advisories