Noema

Security

Handle secrets, reports, examples, and public documentation safely.

Noema integrates with model providers, voice services, filesystem tools, browser automation, and desktop control plugins. Documentation should help developers use those systems without exposing private data.

Secret Handling

Never commit or publish:

  • API keys.
  • Provider tokens.
  • Cookies.
  • Private model credentials.
  • Local user memory databases.
  • Screenshots containing private conversations.
  • Real production URLs when they reveal private infrastructure.

Use placeholders:

LLM_API_KEY=example-token
TASK_BASE_URL=https://api.example.com/v1

Public Issues

Before posting logs or screenshots:

  • Remove provider keys.
  • Remove request headers.
  • Remove user IDs and local usernames.
  • Replace private paths with short examples.
  • Remove conversation content that belongs to a real user.

Vulnerability Reports

Do not open public issues for vulnerabilities. Follow the security reporting process published by the Noema project maintainers.

Docs Examples

Examples should be safe by default:

  • Show placeholders instead of real credentials.
  • Avoid destructive shell commands unless the page is specifically about destructive actions.
  • Mark optional proxy configuration clearly.
  • Explain when a tool can read or write local files.

Release Process

Prepare Noema changes for review, release, and maintenance.

Runtime Reference

Core runtime states, model groups, and plugin hook names.

On this page

Secret HandlingPublic IssuesVulnerability ReportsDocs Examples