• Never commit .env to version control — it is in .gitignore by default
• Never share API keys in GitHub issues, pull requests, or discussions
• Never log API keys — if you discover a version that does this, report it
• The project uses native fetch with no external AI SDK packages — keys are only used in provider calls

If you discover a security vulnerability in devdocs-forge-agent, please do not open a public GitHub issue.

Instead, use GitHub Security Advisories (private disclosure).

Include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

You will receive a response within 72 hours.

We follow responsible disclosure practices. We ask that you:

• Give us reasonable time to fix the issue before public disclosure
• Do not exploit the vulnerability beyond what is necessary to demonstrate it
• Do not access or modify other users' data

Security reports are relevant for:

• API key exposure in logs or output files
• Path traversal vulnerabilities in file operations
• Command injection risks
• Unintended data exfiltration

Out of scope:

• Bugs in third-party AI provider APIs
• Issues in content generated by AI providers