OrigenLab is a public monorepo. It documents operator workflows but must not contain live credentials, mailbox exports, SQLite files, generated reports, or client operational data.
Do not open a public issue with exploit details, secrets, stack traces containing tokens, or live customer/mailbox data.
- Contact the maintainers through a private channel (direct message or email to the project owner).
- Include: affected component (
apps/web,apps/api,apps/dashboard,apps/email-pipeline), reproduction steps, and suspected impact. - Allow reasonable time for triage before any public disclosure.
- Revoke and rotate immediately (OAuth tokens, app passwords, API keys, database passwords).
- Remove the secret from tracked files and Git history if applicable.
- Notify maintainers privately with what was exposed and what was rotated.
Operational data (CSVs, JSONL, SQLite, PST/mbox) never belongs in Git. If committed, treat as a data exposure: stop publishing, remove from tracking, and assess PII impact.
- Email archives, database files, JSONL exports, generated client reports, and
.envfiles with credentials must not be committed. - The email pipeline may process real mailbox content locally. Treat logs, reports, and database copies as sensitive.
- See
docs/SECURITY_PUBLIC_REPO.mdfor the public-repo checklist andapps/email-pipeline/docs/SECURITY.mdfor pipeline-specific notes.