This project is being prepared for public open-source release. Until the publication checklist is complete, treat the repository as release-candidate source, not production infrastructure.
Do not open a public issue containing secrets, credentials, private employee data, database dumps, vector-store payloads, screenshots with sensitive information, or exploit details.
For now, report security issues through the repository owner. A public security contact can be added before the GitHub repository is published.
- Never commit
.env.local,.env, API keys, database passwords, bearer tokens, cookies, private keys, or service credentials. - Never publish local SQLite databases, vector databases, Qdrant snapshots, Chroma stores, logs, terminal captures, browser traces, screenshots, or phase evidence unless sanitized and explicitly approved.
- Treat
scratch/fix_privileges.pyasDO_NOT_PUBLISHunless sanitized and all embedded credentials are confirmed rotated. - Use
.env.examplefor placeholder-only configuration.
Before any push to GitHub:
- Build a clean publish set from the core manifest.
- Run a secret scan over all intended files.
- Confirm
.env.local, local databases, logs, screenshots,.git,venv, phase evidence, and generated artifacts are absent. - Verify startup and health checks from placeholder-based setup instructions.
- Record the final verdict in
docs/publication/SECURITY_PUBLICATION_CHECKLIST.md.