SECURITY.md Security Policy Do not commit secrets, credentials, or API keys to the repository. Use environment variables or secure storage for sensitive data. Review all dependency changes for security risks. All code (especially from agents) must be reviewed for potential vulnerabilities. Report security issues privately to the maintainers. AI/Agent Guidance Never expose, log, or hardcode secrets or credentials. Escalate any ambiguous or potentially sensitive changes for human review. Follow the principle of least privilege when requesting or granting permissions. Use only approved dependencies and tools.