@takk/alkaline is a stable (1.0.0) zero-runtime-dependency durable execution kernel for Massive Intelligence (IM) agents and non-human entities (NHEs). We take security reports seriously and aim to acknowledge each one within two business days.

Each published version follows strict SemVer (see SPEC.md and .github/RELEASING.md). Only the latest minor of the current major receives security patches; an older major receives critical-CVE fixes for 6 months after the next major lands.

Please do not file public GitHub issues for security problems. Send reports to davcavalcante@proton.me (preferred) or say@takk.ag (Takk relay), with the subject line beginning [SECURITY].

Include, at minimum:

• Affected version (npm ls @takk/alkaline).
• Reproduction steps or a minimal proof-of-concept.
• Impact assessment (what an attacker can achieve).
• Any suggested mitigation.

PGP or signed reports are welcome but not required. If you need an out-of-band channel, ask in the first message and we will propose one.

1. Acknowledgement within 2 business days.
2. Triage and severity assignment within 7 days.
3. Fix targeted for the next release; critical issues ship as an out-of-band patch on the affected minor.
4. Coordinated disclosure: the reporter is credited in the changelog and advisory unless they request anonymity.

Findings in any of the following are in scope:

• State persistence. Any way to make a state-store cell write outside its intended scope: path traversal through the SQLite path option, or any query in the Postgres or Redis cells that is not parameterized and lets an attacker inject SQL or Redis commands through an execution id, a workflow name, a record collection, or a payload.
• Replay integrity. Any way to make a replayed execution return a different result than its recorded history, to bypass the divergence detection, or to corrupt or forge a history event so a step is skipped, double-applied, or its recorded result altered.
• Loop and budget bypass. Any way to defeat the cycle detector or the depth limit so a workflow recurses without bound, or to defeat the token budget so an execution spends past its declared limit, the cost and denial-of-service vector this kernel exists to prevent.
• Board lease bypass. Any way to defeat the task-board lease so a claimed task is run by two workers at once, or to reclaim a task whose lease has not expired.
• Secret leakage. By design, an execution's history records its inputs and step results as JSON; an operator who stores a secret there persists it, which is the operator's responsibility. Alkaline drops error stack traces from the durable FailureInfo. Any path that leaks a secret beyond what the operator explicitly stored, for example into a record it should not reach, is in scope.
• Supply chain. Tarball contamination, a compromised npm scope, or a published artifact whose provenance attestation does not match the source commit.

• The behavior or safety of the step functions, tool calls, and model responses the operator runs inside a workflow.
• The security of the database client the operator injects into the Postgres or Redis cell, and the database server itself.
• Secrets the operator chooses to store in a workflow input, step result, or board task; their custody is the operator's responsibility.
• Denial of service via unbounded inputs against the operator's own application; request sizing remains the operator's responsibility.

• Zero required runtime dependencies. The transitive-dependency attack surface is eliminated for every shipped bundle. Sibling @takk bridges are optional peer dependencies you install explicitly.
• Provenance. Every release is published with npm publish --provenance (SLSA attestation by GitHub Actions). Verify with npm view @takk/alkaline@<version> --json | jq .dist.attestations.
• Lockfile committed. pnpm-lock.yaml is tracked in git for reproducible installs.