Security

Public release guidance for secrets, permissions, logging, and generated code.

Secrets

Never commit real API keys, tokens, or connection strings. Use environment variables or a secret manager.

Permissions

Ask before ingestion, web requests, file reads, API calls, and cloud connections.

Allowlists

Keep file, URL, and API allowlists narrow for agentic tools.

Logging

Use structured logs and redact sensitive values before writing them.

Generated code

Write placeholders into .env files, not live secrets into Python.

Dependencies

Pin production dependencies and review optional extras before release.

For the repo-level checklist, see SECURITY.md.