Security | Licit

Threat Model

licit operates as a local auditing tool. Its attack surface is limited, but there are risks to consider:

Identified Threats

Threat	Severity	Mitigation
Manipulation of provenance store	High	HMAC-SHA256 signing, Merkle tree integrity
Sensitive data in FRIA	Medium	`.gitignore` for `fria-data.json`, do not push to public repos
Injection via malicious YAML	Low	Exclusive use of `yaml.safe_load()` (not `yaml.load()`)
Compromised dependencies	Medium	Periodic auditing, minimum version pinning
Code execution via configs	Low	No code is executed from configs; only data is parsed
Exposure of contributor info	Low	Provenance is not pushed by default; recommendation in `.gitignore`

What licit Does NOT Do

Does not execute arbitrary code from the files it analyzes.
Does not send data to external servers. Everything is processed locally.
Does not require elevated permissions. It operates with the user’s permissions.
Does not modify the source code of the analyzed project.
Does not store credentials. Signing keys are managed by the user.

Cryptographic Signing (provenance)

HMAC-SHA256

When provenance signing is enabled (provenance.sign: true), each record is signed with HMAC-SHA256:

signature = HMAC-SHA256(key, canonical_json(record))

Configuration:

provenance:
  sign: true
  sign_key_path: ~/.licit/signing-key

Key generation:

# Generate a 256-bit key
python3.12 -c "import secrets; print(secrets.token_hex(32))" > ~/.licit/signing-key
chmod 600 ~/.licit/signing-key

Attestation (Merkle tree)

licit implements a Merkle tree over provenance records to detect tampering:

         root_hash
        /         \
    hash_01      hash_23
    /    \       /    \
 hash_0 hash_1 hash_2 hash_3
   |      |      |      |
 rec_0  rec_1  rec_2  rec_3

Any modification to a record invalidates the hash chain from that record to the root.

Implementation:

Each record is serialized as canonical JSON (sort_keys=True, default=str)
SHA256 is computed for each record, forming the tree leaves
Pairs of hashes are concatenated and re-hashed until the root is obtained
Odd records: the last one is duplicated to complete the pair
Individual verification uses hmac.compare_digest (timing-safe)

from licit.provenance.attestation import ProvenanceAttestor

attestor = ProvenanceAttestor()  # Auto-generates key in .licit/.signing-key

# Sign an individual record
sig = attestor.sign_record({"file": "app.py", "source": "ai"})

# Verify integrity
assert attestor.verify_record({"file": "app.py", "source": "ai"}, sig)

# Sign a batch with Merkle tree
root = attestor.sign_batch([record1, record2, record3])

Key Management

The signing key is resolved in this order:

Explicit path (sign_key_path in config)
Local fallback (.licit/.signing-key in the project)
Auto-generation (32 random bytes with os.urandom(32))

All filesystem access is protected with try/except OSError.

Data Protection

Sensitive Data Generated by licit

File	Sensitivity	Recommendation
`.licit.yaml`	Low	Commit to the repo
`.licit/provenance.jsonl`	Medium	Do not commit (contains contributor info)
`.licit/fria-data.json`	High	Do not commit (rights impact data)
`.licit/fria-report.md`	Medium	Selective commit
`.licit/annex-iv.md`	Low	Commit to the repo
`.licit/changelog.md`	Low	Commit to the repo
`.licit/reports/*`	Low	Commit to the repo
Signing key	Critical	Never commit, permissions 600

Recommended .gitignore

# licit — sensitive data
.licit/provenance.jsonl
.licit/fria-data.json

# licit — signing key (if stored in the project)
.licit/signing-key
*.key

# licit — generated reports (optional, can be committed)
# .licit/reports/

Dependencies

Dependency Audit

licit uses 6 runtime dependencies, all widely adopted:

Dependency	Min. version	Purpose	Maintainer
click	8.1+	CLI framework	Pallets
pydantic	2.0+	Config validation	Samuel Colvin
structlog	24.1+	Structured logging	Hynek Schlawack
pyyaml	6.0+	YAML parsing	YAML org
jinja2	3.1+	Report templates	Pallets
cryptography	42.0+	HMAC-SHA256	PyCA

Recommendations

Pin versions in production: Use a requirements.txt or pip-compile to lock exact versions.

Audit regularly:

pip audit                    # Search for known vulnerabilities
pip install pip-audit && pip-audit  # Alternative

Verify hashes:

pip install --require-hashes -r requirements.txt

Secure File Parsing

YAML

licit always uses yaml.safe_load() to parse YAML. Never yaml.load() (which allows arbitrary Python code execution).

# Correct (what licit does)
data = yaml.safe_load(f.read())

# NEVER (vulnerable to code execution)
# data = yaml.load(f.read(), Loader=yaml.FullLoader)

JSON

For SARIF and other JSON files, standard json.load() is used, which is secure by design.

Agent Configuration Files

Files such as CLAUDE.md, .cursorrules, AGENTS.md are read as plain text. licit does not interpret or execute their contents — it only analyzes them to detect changes and extract metadata.

External Process Execution

licit executes git commands via subprocess.run() with the following protections:

capture_output=True — stdout/stderr are captured, not displayed directly.
text=True — Automatic UTF-8 decoding.
No shell=True — Arguments are passed as a list, not as a string, preventing command injection.
timeout=30 — Explicit 30-second timeout on git log to avoid blocking on massive repos (10 seconds for git show and existence checks).
subprocess.TimeoutExpired is caught — returns an empty list without crashing.
Explicit check=False — on all subprocess.run calls in provenance and changelog (does not raise an exception on returncode != 0).
Size guard (changelog): ConfigWatcher._MAX_CONTENT_BYTES = 1_048_576 — discards git show content larger than 1 MB to prevent OOM with accidentally tracked binary files.

# How licit executes git commands
result = subprocess.run(
    ["git", "rev-list", "--count", "HEAD"],
    capture_output=True,
    text=True,
)

Vulnerability Reporting

If you find a security vulnerability in licit:

Do not open a public issue.
Send an email to the maintainers with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
You will receive a confirmation within 48 hours.
A fix and advisory will be published once resolved.