If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Use GitHub's private vulnerability reporting to submit the report
- Include steps to reproduce the issue
We will respond within 48 hours and work with you to address the issue.
This project follows these security practices:
- No secrets in code — all credentials via environment variables
- Dependency scanning — automated via Dependabot
- Input validation — InputGuard middleware limits input size and conversation turns
- Sensitive data masking — logging middleware masks PII patterns
- Explicit authentication — no credential fallback chains (see
factory.py) - Least privilege — agents only have access to their configured tools
This project depends on:
- Microsoft Agent Framework (RC)
- Azure Identity for authentication
- Azure OpenAI for model inference
Keep dependencies up to date. Review the uv.lock file for the full dependency tree.