Tekimax LogoSDK

Security & Compliance

Tekimax SDK is designed with a "Secure by Default" philosophy, leveraging modern supply chain security practices to ensure integrity from build to runtime.

Supply Chain Hardening

Chainguard Images

Our runtime and build artifacts are based on Chainguard Images, which are:

  • Minimal: Stripped of operating system shell, package managers, and other unnecessary binaries. This eliminates entire categories of exploits (shell injection, privilege escalation via installed tooling).
  • Hardened: Designed to reduce the attack surface significantly.
  • Zero CVEs: Rebuilt daily to patch upstream vulnerabilities immediately — so you inherit fixes without waiting for a manual image update.

Artifact Signing (Cosign)

All build artifacts are signed using Cosign (part of the Sigstore project). This allows you to verify that the SDK code you are running is exactly what was built by our CI/CD pipeline, with no tampering.

Vulnerability Management

Continuous Scanning (Trivy)

We employ Trivy in our CI/CD pipelines to continuously scan our dependencies and build artifacts for vulnerabilities.

  • Frequency: Every commit and nightly schedule.
  • Policy: Builds fail immediately if CRITICAL or HIGH vulnerabilities are detected.
  • Scope: Scans cover both OS-level packages and Node.js/npm dependencies.

Runtime Protection

Type Safety & Validation (Zod)

Unlike standard SDKs, Tekimax enforces strict runtime validation using Zod schemas.

  • Spec-Driven: All schemas are generated directly from the OpenAPI specification, ensuring 100% compliance with the API contract.
  • Input Validation: Malformed requests are rejected before they leave your application.
  • Output Sanitization: Unexpected responses from upstream providers are caught and handled gracefully.

Strict TypeScript Configuration

The SDK is built with the strictest TypeScript settings enabled to prevent common classes of bugs:

  • strict: true: Enables strict null checks and no implicit any — catches null/undefined bugs at compile time instead of runtime.
  • noUncheckedIndexedAccess: true: Forces developers to handle cases where array/object access might return undefined. Without this flag, arr[0] has type T; with it, the type is T | undefined, preventing silent runtime crashes on empty arrays.

Minimal Dependency Footprint

We aggressively minimize third-party dependencies to reduce the potential attack surface. Each dependency is a potential supply-chain vector, so fewer is better.

  • Core Runtime: zod (validation) and eventsource-parser (SSE streaming).
  • Provider SDKs: openai, @anthropic-ai/sdk, @google/generative-ai, ollama — one per provider, each an official first-party package.
  • Zero bloat: No heavy frameworks, lodash, or unused utility libraries.

Configuration Best Practices

Never hardcode API keys. All providers require explicit apiKey parameters — they do not auto-read environment variables. This is intentional: implicit env-var reading can lead to accidental key leakage across environments (e.g., a CI build picking up production keys).

Code
// ✅ Good: Explicit environment variable const client = new Tekimax({ provider: new AnthropicProvider({ apiKey: process.env.ANTHROPIC_API_KEY! }) }); // ❌ Bad: Hardcoded secret const client = new Tekimax({ provider: new AnthropicProvider({ apiKey: "sk-ant-..." // Never do this — it will end up in source control. }) });

Modalities (Multi-Modal)

Unified interface for Text, Images, Audio, and Video.

Anthropic Adapter

Use Claude 3.5 Sonnet and Claude 3 models with Tekimax.

On this page

Security & ComplianceSupply Chain HardeningChainguard ImagesArtifact Signing (Cosign)Vulnerability ManagementContinuous Scanning (Trivy)Runtime ProtectionType Safety & Validation (Zod)Strict TypeScript ConfigurationMinimal Dependency FootprintConfiguration Best Practices