odos-sdk 2.0.0

Rust SDK for Odos
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319

# Security Policy

## Supported Versions

We actively maintain odos-sdk with a focus on the latest releases:

- **Latest release**: Full support with active development
- **Recent releases**: Security fixes and critical bug fixes
- **Older releases**: Upgrade recommended

**Support Policy:**

- Pre-stable releases: Latest and previous minor versions supported
- Stable releases: Current and previous major versions supported
- Security fixes prioritized based on severity and affected versions

To check the current version and release notes, see [Releases](https://github.com/semiotic-ai/odos-sdk/releases) or [crates.io](https://crates.io/crates/odos-sdk).

## Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

### How to Report

**DO NOT** open a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities through:

- **GitHub Security Advisories**: [Report a vulnerability](https://github.com/semiotic-ai/odos-sdk/security/advisories/new)

This is the preferred and most secure method for reporting vulnerabilities.

Include in your report:

1. **Description**: Clear description of the vulnerability
2. **Impact**: What could an attacker achieve?
3. **Reproduction**: Step-by-step instructions to reproduce
4. **Version**: Affected version(s) of odos-sdk
5. **Proposed Fix**: (Optional) Suggestions for fixing the issue

### What to Expect

1. **Acknowledgment**: We will acknowledge receipt within 48 hours
2. **Assessment**: We will assess the report and determine severity within 5 business days
3. **Updates**: We will provide regular updates on our progress
4. **Fix Timeline**:
   - **Critical**: Patch within 7 days
   - **High**: Patch within 30 days
   - **Medium**: Patch within 90 days
   - **Low**: Addressed in next regular release
5. **Disclosure**: We will coordinate with you on public disclosure timing

### Security Advisories

Security advisories will be published through:

- GitHub Security Advisories
- RUSTSEC advisory database
- Release notes and CHANGELOG.md

## Security Best Practices for Users

### API Key Security

**CRITICAL**: Never expose your Odos API key in public repositories, logs, or error messages.

#### Secure Key Storage

```rust
use odos_sdk::{OdosClient, ClientConfig, ApiKey};
use std::env;

// ✅ GOOD: Load from environment variable
let api_key = env::var("ODOS_API_KEY")
    .ok()
    .and_then(|k| k.parse::<ApiKey>().ok());

let config = ClientConfig {
    api_key,
    ..Default::default()
};
let client = OdosClient::with_config(config)?;
```

```rust
// ❌ BAD: Hardcoded API key
let config = ClientConfig {
    api_key: Some("your-api-key".parse().unwrap()), // NEVER DO THIS
    ..Default::default()
};
```

#### Environment Variables

Use `dotenvy` to load API keys from `.env` files:

```rust
use dotenvy::dotenv;

// Load .env file
dotenv().ok();

// Access API key
let api_key = std::env::var("ODOS_API_KEY")
    .ok()
    .and_then(|k| k.parse().ok());
```

**Important**: Add `.env` to your `.gitignore`:

```gitignore
.env
.env.local
.env.*.local
```

### Rate Limiting

The SDK implements client-side retry logic, but you should also implement application-level rate limiting:

```rust
use odos_sdk::RetryConfig;

// Conservative retry configuration for production
let retry_config = RetryConfig {
    max_retries: 3,
    initial_backoff_ms: 200,
    retry_server_errors: true,
    retry_predicate: None,
};

let client = OdosClient::with_retry_config(retry_config)?;
```

### Input Validation

Always validate user inputs before constructing API requests:

```rust
use odos_sdk::QuoteRequest;
use alloy_primitives::{Address, U256};

// Validate addresses
let token_address = address_str.parse::<Address>()
    .map_err(|_| "Invalid token address")?;

// Validate amounts (prevent overflow)
let amount = U256::try_from(amount_str)
    .map_err(|_| "Invalid amount")?;

// Validate slippage (prevent excessive slippage)
let slippage = slippage_percent.max(0.1).min(50.0);

let quote = QuoteRequest::builder()
    .chain_id(chain_id)
    .input_tokens(vec![(token_address, amount).into()])
    // ... rest of request
    .build();
```

### Error Handling

Never expose sensitive information in error messages:

```rust
use odos_sdk::OdosError;

match client.quote(&request).await {
    Ok(quote) => {
        // Handle success
    }
    Err(e) => {
        // ✅ GOOD: Log internally, show generic message to users
        tracing::error!("Quote request failed: {}", e);
        return Err("Failed to get quote. Please try again.".into());
    }
}
```

```rust
// ❌ BAD: Exposing internal error details to users
match client.quote(&request).await {
    Err(e) => panic!("Error: {}", e), // May leak trace IDs, URLs, etc.
}
```

### Timeout Configuration

Configure appropriate timeouts to prevent resource exhaustion:

```rust
use std::time::Duration;

let config = ClientConfig {
    timeout: Duration::from_secs(30),
    connect_timeout: Duration::from_secs(10),
    ..Default::default()
};
```

### TLS/HTTPS

The SDK always uses HTTPS for API communication. The underlying `reqwest` client:

- Validates TLS certificates by default
- Uses system certificate store
- Enforces secure cipher suites

Never disable certificate validation in production.

## Dependency Security

### Regular Updates

We regularly audit and update dependencies. Users should:

1. **Update frequently**: Run `cargo update` regularly
2. **Monitor advisories**: Use `cargo audit` to check for vulnerabilities
3. **Review changes**: Read CHANGELOG.md before updating

### Dependency Auditing

Check for known vulnerabilities:

```bash
# Install cargo-audit
cargo install cargo-audit

# Run audit
cargo audit

# Check for specific advisories
cargo audit --deny warnings
```

### Minimal Dependencies

We maintain a minimal dependency footprint to reduce attack surface. See `DEPENDENCIES.md` for detailed rationale for each dependency.

## Cryptographic Operations

This SDK does not perform cryptographic operations directly. It relies on:

- **alloy ecosystem**: For Ethereum-related cryptography (signing, address derivation)
- **reqwest + rustls**: For TLS/HTTPS connections

Users performing transaction signing should:

1. Use hardware wallets when possible
2. Never expose private keys in logs or error messages
3. Use `alloy-signer` best practices for key management

## Network Security

### API Endpoints

The SDK connects to:

- `https://api.odos.xyz` (Public API)
- `https://enterprise-api.odos.xyz` (Enterprise API)

**Important**: The SDK does not support custom endpoints to prevent MitM attacks via endpoint injection.

### Connection Pool Security

The SDK uses connection pooling for performance. Default settings:

- Maximum 20 connections
- 90-second idle timeout
- Automatic cleanup of stale connections

### Proxy Support

If using HTTP proxies, ensure:

- Proxy connection uses TLS
- Proxy is trusted and properly configured
- Sensitive data is not logged by proxy

## Incident Response

If you suspect your application using odos-sdk has been compromised:

1. **Isolate**: Immediately isolate affected systems
2. **Rotate Keys**: Rotate any API keys that may have been exposed
3. **Investigate**: Determine scope of compromise
4. **Notify**: [Report via GitHub Security Advisories](https://github.com/semiotic-ai/odos-sdk/security/advisories/new) if the SDK itself is implicated
5. **Update**: Update to latest patched version if vulnerability was in SDK

## Security Checklist for Production

Before deploying applications using odos-sdk to production:

- [ ] API keys loaded from environment variables, never hardcoded
- [ ] `.env` files added to `.gitignore`
- [ ] Input validation implemented for all user inputs
- [ ] Error messages do not expose sensitive information
- [ ] Appropriate timeouts configured
- [ ] Rate limiting implemented at application level
- [ ] TLS certificate validation enabled (default)
- [ ] Dependencies audited with `cargo audit`
- [ ] Logging configured to exclude sensitive data
- [ ] Monitoring and alerting configured for error rates
- [ ] Incident response plan documented

## Additional Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Rust Security Guidelines](https://anssi-fr.github.io/rust-guide/)
- [RUSTSEC Advisory Database](https://rustsec.org/)
- [Odos API Documentation](https://docs.odos.xyz/)

## Contact

For security-related questions or concerns:

- **Security Reports**: [GitHub Security Advisories](https://github.com/semiotic-ai/odos-sdk/security/advisories/new)
- **General Questions**: [GitHub Discussions](https://github.com/semiotic-ai/odos-sdk/discussions)
- **Project Issues**: <https://github.com/semiotic-ai/odos-sdk/issues>