GovEngine is a governance and contract-helper package. It is not a scanner, exploit framework, sandbox, or authorization authority.
GovEngine is currently pre-alpha. Security fixes should target main until a stable release line exists.
Please report security-sensitive issues privately to the project owner when possible. Do not publish credentials, private targets, raw runtime logs, or exploit details in public issues.
GovEngine must not:
- treat LLM prose as executable authority;
- construct live shell commands from untrusted text;
- widen Ravenclaw/GovEngine/SCLite dependency direction;
- publish raw stdout/stderr, command logs, credentials, cookies, private paths, or private target identifiers;
- claim authorization to test a target;
- claim live vulnerability evidence from dry-run artifacts.
New safety-sensitive code should be deterministic by default, testable without live targets, and explicit about:
- scope and policy decisions;
- approved vs prepared execution shape;
- dry-run/local/mock/live truth;
- receipt/evidence non-claims;
- owner-review boundaries.