Security
Public release guidance for secrets, permissions, logging, and generated code.
Secrets
Never commit real API keys, tokens, or connection strings. Use environment variables or a secret manager.
Permissions
Ask before ingestion, web requests, file reads, API calls, and cloud connections.
Allowlists
Keep file, URL, and API allowlists narrow for agentic tools.
Logging
Use structured logs and redact sensitive values before writing them.
Generated code
Write placeholders into .env files, not live secrets into Python.
Dependencies
Pin production dependencies and review optional extras before release.
For the repo-level checklist, see SECURITY.md.