SCLite defines, validates, redacts, hashes, binds, and verifies public-safe Security Contract Layer artifacts.

It is not an executor, scanner, authorization authority, sandbox, or vulnerability proof system.

SCLite is currently in a 0.y.z lifecycle-candidate phase. Security fixes should target main until stable release branches exist.

Please avoid posting credentials, private targets, raw logs, exploit details, or sensitive runtime artifacts in public issues.

If a report requires sensitive details, contact the project owner privately where possible and share only the minimum needed to reproduce the issue.

SCLite must not:

• publish raw stdout/stderr from real runs;
• include credentials, cookies, bearer tokens, private headers, or private paths in examples;
• claim legal authorization for target testing;
• claim live vulnerability evidence from validation receipts;
• turn schema validation into permission to execute tools;
• become a protocol adapter or execution wrapper.

Fixtures should be synthetic or explicitly public-safe. They should preserve clear non-claims and be reviewable without live targets, private operator state, or external services.