From 7e6a16772bdb3c10c7fccb4eaa205f30a8ef3c72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSebastian?= <64795732+slegarraga@users.noreply.github.com> Date: Thu, 4 Jun 2026 23:28:04 -0400 Subject: [PATCH] docs: document security posture --- README.md | 3 +++ docs/security-posture.md | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 docs/security-posture.md diff --git a/README.md b/README.md index 17e07a7..ff47c94 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,9 @@ > Normalize OpenAI, Anthropic and Gemini API errors into one shape: category, retryable flag and `Retry-After` delay. **Zero dependencies.** +Security posture is tracked in [docs/security-posture.md](./docs/security-posture.md), +including CodeQL, OpenSSF Scorecard, Dependabot and branch rules. + Every LLM provider fails differently. OpenAI nests `{ error: { type, code, param } }`, Anthropic wraps `{ type: "error", error: { type } }`, Gemini speaks Google RPC status strings, and each puts retry hints in a different place. `llm-errors` collapses all of that into a single, predictable object so your retry and error-handling code stays provider-agnostic. ```ts diff --git a/docs/security-posture.md b/docs/security-posture.md new file mode 100644 index 0000000..dede8bb --- /dev/null +++ b/docs/security-posture.md @@ -0,0 +1,20 @@ +# Security posture + +`llm-errors` is a zero-runtime-dependency package, but the repository still +tracks supply-chain controls as part of maintenance. + +Current controls: + +- MIT license and public security policy. +- GitHub vulnerability alerts and Dependabot security updates. +- Secret scanning and push protection. +- CI on Node 20 and 22. +- CodeQL analysis for JavaScript/TypeScript. +- OpenSSF Scorecard workflow with published results. +- Pinned GitHub Actions and least-privilege workflow permissions. +- Branch ruleset for `main` requiring CI and CodeQL checks before merge. +- CODEOWNERS for maintainer review visibility. + +Security reports should not be opened as public issues. Use the process in +[SECURITY.md](../SECURITY.md) or contact +[sebastian@0a.cl](mailto:sebastian@0a.cl).