Skip to content

Security: RossDmello2/HPCL-Configurable-Agentic-Chatbot

Security

SECURITY.md

Security Policy

Supported Status

This project is being prepared for public open-source release. Until the publication checklist is complete, treat the repository as release-candidate source, not production infrastructure.

Reporting A Vulnerability

Do not open a public issue containing secrets, credentials, private employee data, database dumps, vector-store payloads, screenshots with sensitive information, or exploit details.

For now, report security issues through the repository owner. A public security contact can be added before the GitHub repository is published.

Sensitive Material Rules

  • Never commit .env.local, .env, API keys, database passwords, bearer tokens, cookies, private keys, or service credentials.
  • Never publish local SQLite databases, vector databases, Qdrant snapshots, Chroma stores, logs, terminal captures, browser traces, screenshots, or phase evidence unless sanitized and explicitly approved.
  • Treat scratch/fix_privileges.py as DO_NOT_PUBLISH unless sanitized and all embedded credentials are confirmed rotated.
  • Use .env.example for placeholder-only configuration.

Pre-Publication Security Gate

Before any push to GitHub:

  1. Build a clean publish set from the core manifest.
  2. Run a secret scan over all intended files.
  3. Confirm .env.local, local databases, logs, screenshots, .git, venv, phase evidence, and generated artifacts are absent.
  4. Verify startup and health checks from placeholder-based setup instructions.
  5. Record the final verdict in docs/publication/SECURITY_PUBLICATION_CHECKLIST.md.

There aren't any published security advisories