Comprehensive security documentation for the cachekit Python SDK.
- Supported Versions
- Reporting a Vulnerability
- Architecture Overview
- Python SDK Security Features
- FFI Boundary Security
- Supply Chain Security
- CI/CD Security
- Known Limitations
- Security Roadmap
| Version | Supported |
|---|---|
| 0.1.x | β |
Note
As a young project, we maintain security support for the latest release only. Once we reach 1.0.0, we will establish a longer-term LTS policy.
Important
We take security seriously. If you discover a security vulnerability, please report it responsibly.
| Channel | Use Case |
|---|---|
| [email protected] | Preferred for sensitive issues |
| GitHub Security Advisory | Public vulnerability reports |
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if available)
| Stage | Timeline |
|---|---|
| Initial Response | 48 hours |
| Status Update | 7 days |
| Fix Timeline | Varies by severity |
π Disclosure Policy
We follow coordinated disclosure:
- Acknowledge receipt within 48 hours
- Confirm vulnerability and determine severity
- Develop and test fix
- Release security patch
- Public disclosure after patch availability (coordinated with reporter)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β cachekit Python SDK β
β ββββββββββββββββ ββββββββββββββββ βββββββββββββββββββββββββ β
β β @cache β β @cache β β Redis/CachekitIO β β
β β Decorator β β .secure β β Backend β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ βββββββββββββ¬ββββββββββββ β
β β β β β
β ββββββββββ¬βββββββββ΄βββββββββββββββββββββββ β
β β β
β ββββββββββΌβββββββββ β
β β PyO3 FFI β βββ This repo β
β β Wrapper β β
β ββββββββββ¬βββββββββ β
ββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββΌββββββββββ
β cachekit-core β βββ Separate crate
β βββββββββββββββ β
β β AES-256-GCM β β
β β LZ4 Compressβ β
β β xxHash3 β β
β β HKDF β β
β βββββββββββββββ β
βββββββββββββββββββββ
| Component | Responsibility |
|---|---|
| cachekit-core (Rust) | Compression, checksums, encryption, formal verification |
| cachekit SDK (this repo) | PyO3 FFI wrapper, decorators, Redis backend, configuration |
Tip
For comprehensive security details about core cryptographic operations, see cachekit-core SECURITY.md.
This document focuses on Python SDK-specific security: FFI boundary, configuration, and Python-layer tooling.
Caution
cachekit NEVER uses Python's pickle module due to arbitrary code execution risks (CWE-502).
We use MessagePack (safe binary serialization) with type preservation via schema metadata.
- import pickle # NEVER - arbitrary code execution
+ import msgpack # Safe binary serializationWhen enabled via @cache.secure, client-side AES-256-GCM encryption ensures the server never sees plaintext:
| Property | Guarantee |
|---|---|
| Encryption timing | Before data touches Redis |
| Server visibility | Opaque ciphertext only |
| Key derivation | HKDF with per-tenant salts |
| Authentication | GCM tags prevent tampering |
| Compliance | GDPR/HIPAA/PCI-DSS ready |
π Master Key Security
| Requirement | Implementation |
|---|---|
| Key size | Minimum 32 bytes (256 bits) |
| Configuration | CACHEKIT_MASTER_KEY env var |
| Logging | Never exposed in logs/errors |
| Derivation | HKDF with unique tenant salts |
β‘ L1 Cache Behavior
| Mode | L1 Storage | L2 Storage | Performance |
|---|---|---|---|
@cache |
Plaintext | Plaintext | ~50ns L1 / ~2-7ms L2 |
@cache.secure |
Encrypted | Encrypted | ~50ns L1 / ~2-7ms L2 |
Both tiers store encrypted bytes when encryption is enabled (encrypt-at-rest everywhere). Decryption happens at read time only, minimizing plaintext exposure.
Note
All cryptographic operations are implemented in cachekit-core. See cachekit-core SECURITY.md for AES-256-GCM, HKDF, and formal verification details.
All sensitive values are automatically masked:
| Context | Masked |
|---|---|
| Structured logs | β |
| Error messages | β |
| Health endpoints | β |
| Monitoring output | β |
Implementation: Uses pydantic-settings with SecretStr for automatic redaction.
Important
The PyO3 FFI boundary between Python and Rust is security-critical.
| Guarantee | Mechanism |
|---|---|
| Type safety | PyO3's compile-time type system |
| No unsafe serialization | MessagePack only (no pickle) |
| Buffer validation | Inputs validated before Rust calls |
| Panic handling | Rust panics β Python exceptions |
| Guarantee | Mechanism |
|---|---|
| GIL protection | All FFI calls acquire GIL |
| Rust synchronization | Send/Sync guarantees in cachekit-core |
| TSan validation | PyO3 false positives documented |
Warning
TSan suppressions in rust/tsan_suppressions.txt only cover PyO3/Python runtime false positives. Any data races in cachekit code are real bugs and must be fixed.
| Tool | Purpose | Config |
|---|---|---|
| cargo-deny | License + vulnerability scanning | rust/deny.toml |
| cargo-vet | Supply chain auditing | rust/supply-chain/config.toml |
π Policy Details
Allowed licenses: MIT, Apache-2.0, BSD-3-Clause
Denied licenses: GPL (all variants)
Vulnerability scanning: RustSec Advisory Database
Audit status: In progress (Q1 2026 target for full coverage)
Note
Core dependencies (ring, lz4_flex, blake3) are audited in cachekit-core. See cachekit-core supply chain docs.
| Tool | Purpose | Command |
|---|---|---|
| pip-audit | CVE scanning | make security-audit |
| Tier | Timing | Trigger | Checks |
|---|---|---|---|
| Fast | < 3 min | Every PR | cargo-audit, cargo-deny, clippy, machete, pip-audit |
| Medium | < 15 min | Post-merge | cargo-geiger (<5% unsafe), semver-checks |
| Deep | < 2 hr | Nightly | Sanitizers (ASan, TSan, MSan), security report |
π Workflow Files
| Tier | Workflow |
|---|---|
| Fast | .github/workflows/security-fast.yml |
| Medium | .github/workflows/security-medium.yml |
| Deep | .github/workflows/security-deep.yml |
Tip
Kani formal verification and cargo-fuzz run in cachekit-core CI. This SDK relies on cachekit-core's verification results.
# One-time setup
make security-install
# Quick checks (< 3 min)
make security-fast
# Comprehensive (< 15 min)
make security-medium
# Python dependencies
make security-audit
# Generate report
make security-reportReports are archived in reports/security/ for compliance and audit trails.
Note
This SDK does not implement cryptography directly. All cryptographic operations are in cachekit-core.
SDK Responsibilities:
- Safely calling cachekit-core via FFI
- Protecting master keys in memory (
SecretStr) - Preventing key leakage in logs/errors
- Validating inputs before FFI calls
For cryptographic guarantees, see:
β οΈ Validation Status
Validated:
- Workflow syntax
- Job structure and dependencies
- Tool installation procedures
- Trigger configuration
Requires validation on first PR:
- Actual timing (fast < 3min, medium < 15min, deep < 2h)
- Sanitizer execution on Linux runners
- Caching effectiveness
- Resource limits and timeouts
| Release Type | Scope | Breaking Changes |
|---|---|---|
| Patch (0.1.x) | Security fixes | β |
| Minor (0.x.0) | New features | β |
| Major (x.0.0) | Breaking changes | β |
Note
Pre-1.0: Minor versions may include breaking changes.
Security patches are backported to the latest supported version.
| Quarter | Milestone |
|---|---|
| Q1 2026 | Complete cargo-vet audits for all dependencies |
| Q2 2026 | Add Hypothesis fuzzing for Python layer |
| Q3 2026 | Third-party security audit (SDK + FFI boundary) |
| Q4 2026 | SLSA Level 3 compliance |
| Purpose | Channel |
|---|---|
| Security issues | [email protected] |
| General issues | GitHub Issues |
| Maintainers | GitHub Repository |
We appreciate responsible disclosure from the security community. Security researchers who report valid vulnerabilities will be acknowledged in release notes (with permission).
Report Vulnerability Β· cachekit-core Security Β· GitHub
Last Updated: 2025-12-09