| Version | Supported |
|---|---|
| latest | Yes |
The Distillery is a loopback proxy. It never stores your Anthropic API key. Your API key travels directly from your local machine to Anthropic's API; The Distillery only reads token counts for billing purposes (BYOK model).
What this means for self-hosters:
- No API keys are stored server-side
- The proxy MUST bind to 127.0.0.1 only (loopback)
- Binding to 0.0.0.0 is unsupported and exposes your Anthropic key to the network
To report a security vulnerability, email stijnwilliam@gmail.com with:
- A description of the vulnerability
- Steps to reproduce
- Impact assessment
Do not open a public GitHub issue for security vulnerabilities.
We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities within 90 days of disclosure.
In scope: The Distillery proxy server, CLI, and dashboard. Out of scope: Third-party dependencies (report to their maintainers), issues requiring physical access to the machine, or social engineering attacks.