If you discover a security vulnerability in this project, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, email: support@raintree.technology

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will review reports as time permits. There are no guaranteed response times.

This policy covers:

• The perps CLI and its exchange adapters
• The agent gateway HTTP server
• The credential vault and secret handling
• The onboarding and setup wizard flows

• Private keys and API secrets are stored encrypted in ~/.perp/credentials-vault.json.
• The CLI is designed to avoid logging or outputting private keys or secrets, but no guarantees are made. Users are responsible for securing their own credentials and environments.
• .env files containing credentials are gitignored by default.
• The agent gateway requires explicit opt-in (PERPS_AGENT_ALLOW_MAINNET=1) for mainnet execution.

This software is provided under the MIT License, without warranty of any kind. The authors and contributors accept no liability for financial losses, credential exposure, or any other damages arising from the use of this software. You are solely responsible for your own security practices and trading decisions.

Run pnpm audit to check for known vulnerabilities in the dependency tree.

1. Direct dependencies — every package in dependencies and devDependencies should be a well-known, actively maintained project. Prefer @noble/curves and @noble/hashes for cryptographic primitives (audited, no native deps).
2. Transitive vulnerabilities — some upstream packages (e.g. near-api-js, pmxtjs) pull in legacy sub-dependencies with known advisories. These are outside our control but should be monitored for upstream fixes.
3. Typosquat checks — verify scoped packages (@nktkas/hyperliquid, pmxtjs) against their official repos before upgrading.

Security updates are applied to the latest release only.