SILENCE.OBJECTS is a modular TypeScript framework for structural behavioral pattern analysis. The project follows an open‑core model: selected @silence/* modules are open‑source (MIT), while enterprise @silence/ee-* modules and production deployments are proprietary and hardened.

This document describes how to report vulnerabilities, what versions are supported, and which security controls are in place across the ecosystem.

We follow a simple support policy for the open‑core framework:

Only the latest major line (5.x) receives security fixes. Older versions may continue to work but are not patched.

For enterprise customers using closed modules (@silence/ee-*), support terms are defined in your commercial agreement.

Do NOT create a public GitHub issue for security vulnerabilities.

To report a potential vulnerability, please contact:

• Email: security@patternslab.app

Include, whenever possible:

• A clear description of the vulnerability
• Steps to reproduce (minimal, reproducible example)
• Affected version(s) and environment (dev / staging / production)
• Potential impact (data exposure, integrity, availability, safety)
• Suggested fix or mitigation (if you have one)

We commit to:

• Acknowledgement within 48 hours
• Initial triage and a proposed remediation timeline within 7 days

If the issue is confirmed and has security impact, we will:

• Prepare a fix or mitigation
• Coordinate disclosure with you (if you wish to be credited)
• Publish a patched version and a short security note, where appropriate

The public SILENCE.OBJECTS monorepo is hardened as follows:

• Branch protection on main

  • All changes go through Pull Requests
  • Required review from CODEOWNERS for sensitive areas (AI, safety, audit, closed interfaces)

• Secret hygiene

  • Secret scanning enabled on GitHub
  • Historical secrets removed (BFG or equivalent)
  • No API keys or credentials committed to the repository

• Dependency monitoring

  • GitHub Dependabot alerts enabled
  • Regular pnpm audit runs in CI
  • High‑severity issues are treated as P0

• Open‑core vs closed split

  • Open‑core modules (@silence/contracts, @silence/events, @silence/behavioral-sequences, @silence/rhythmic-patterns, @silence/cognitive-load, @silence/capacity-recovery, @silence/attention-profiles, @silence/language, @silence/validator, @silence/ui) live in this repository and are MIT‑licensed.
  • Closed @silence/ee-* modules are proprietary and stored in private repositories; only their interfaces are visible via @silence/contracts.
  • See LICENSE and docs/SILENCE.OBJECTS-Moduly-Frameworka-Open-Source-i-Closed.md for details.

Production deployments (PatternLens, PatternsLab, Portal) implement several layers of runtime protection:

• 3‑layer safety / crisis detection

  • Closed module @silence/ee-safety orchestrates:
    • hard keyword checks (crisis markers),
    • soft AI scoring,
    • escalation and blocking rules.
  • Inputs containing crisis markers are blocked; users are directed to crisis resources instead of receiving an AI interpretation.

• S11 language guardrails

  • @silence/language and S11 enforce structural, non‑clinical language.
  • Forbidden clinical / therapeutic vocabulary is blocked at:
    • build time (G1 linter),
    • runtime (G2 edge middleware).
  • System does not produce diagnostic or therapeutic claims.

• API and traffic controls

  • Rate limiting on all AI and analysis endpoints
  • Input sanitization (e.g. zero‑width character stripping, basic normalization)
  • Output scanning for forbidden terms before responses are returned to clients
  • Circuit‑breaker pattern (e.g. 10–15s timeouts, fallback responses, error budgets)

• Data layer protection

  • Supabase / Postgres with Row Level Security (RLS) on all tables with user/tenant data
  • RLS policies ensure each tenant only sees its own data
  • Access tokens and sessions are scoped to tenant context

SILENCE.OBJECTS is designed to operate as a limited‑risk AI system:

• No emotion recognition
• No medical diagnosis or therapeutic recommendations
• No automated decisions affecting legal rights or access to essential services

Key measures:

• S11 System (Language Sterility)

  • Enforces structural framing (patterns, cycles, tension) instead of clinical categories.
  • Avoids stigmatizing labels and diagnostic terms.
  • Documented in docs/S11-System-Sterylnosci-Jezykowej-SILENCE.OBJECTS.md.

• Data protection

  • Behavioral data focus; no raw health records are stored in open‑core modules.
  • GDPR‑aligned practices (EU region Supabase, data export, deletion flows) in production apps.
  • Explicit consent and legal bases for processing health‑adjacent data are handled in closed modules (e.g. @silence/ee-medical) and customer agreements.

• CI/CD compliance gates

  • P0/P1/P2 compliance matrix enforced in CI for:
    • S11 violations,
    • missing consent flows,
    • unsafe AI prompts / outputs.
  • Builds that violate these gates do not reach production.

Closed modules are not shipped as open‑source in this repository. They are proprietary, hosted in private repos, and follow additional internal security and compliance controls.

Examples include (non‑exhaustive):

• @silence/ee-behavioral-engine
• @silence/ee-ai
• @silence/ee-predictive
• @silence/ee-safety
• @silence/ee-voice
• @silence/ee-medical
• @silence/ee-legal
• @silence/ee-intervention-timing
• @silence/ee-analytics-dashboard
• @silence/ee-billing
• @silence/ee-orchestrator
• @silence/ee-linkedin-agent
• @silence/ee-audit

Only the contract surfaces for these modules are exposed via @silence/contracts in this public repository.

We regularly audit and maintain our dependency tree:

• pnpm monorepo with workspaces
• Automated dependency checks via GitHub Dependabot
• Regular manual reviews for high‑risk libraries (AI, cryptography, auth)

If you notice a dependency that is out of date or flagged as vulnerable, please open an Issue (for non‑security items) or contact security@patternslab.app (for security‑sensitive cases).

Thank you for helping keep SILENCE.OBJECTS secure.