If you find a security issue in Demarche, please do not open a public GitHub issue. Identity-verification code paths benefit from coordinated disclosure.

Email wayland0916@gmail.com with:

• A description of the vulnerability.
• Steps to reproduce, ideally with a minimal proof-of-concept.
• The affected version(s) of demarche (PyPI) and/or @deeplethe/demarche (npm).
• Your assessment of the impact and any suggested mitigations.

You should receive an acknowledgement within 7 days. Once a fix is ready, I will coordinate the disclosure timeline with you and credit you in the release notes unless you prefer to remain anonymous.

Only the latest minor release receives security fixes during the pre-1.0 phase. Pin to a recent version to stay in support.

Demarche's documented threat model and mitigations live in spec/v0.1-architecture.md §5. Highlights:

• Confused-deputy class mitigated by separating principal_id and agent_id.
• Downgrade attacks mitigated by strict first-match adapter resolution.
• Key rotation handled by JWKSKeyProvider with rate-limited refresh.
• HTTPS enforced for JWKS, OIDC Discovery, and WebhookSink endpoints.

• Python: pyjwt[crypto] (which uses cryptography).
• TypeScript: jose.

Vulnerabilities in those dependencies are out of scope here; report them upstream. Demarche's own role is to compose them correctly.