Skip to content

Security: xiaoqi-AI/agent-cli-scope-guard

SECURITY.md

Security Policy

Reporting a vulnerability

Use GitHub private vulnerability reporting when available. If it is not available, open an Issue containing only a short, sanitized description and ask for a private contact channel.

Never include:

  • API keys, tokens, passwords, cookies, or OAuth material
  • complete environment snapshots
  • private repository paths or customer identifiers
  • raw authentication files
  • logs that contain request headers or credentials

Include the affected version, operating system, finding ID, safe reproduction steps, and whether the impact is observed, inferred, or confirmed.

Supported versions

Security fixes are applied to the latest release on main while the project is in its initial alpha phase.

Auditor guarantee

The auditor is designed not to collect or emit secret values. A regression that causes a secret value to appear in text or JSON output is considered a high-severity vulnerability.

There aren't any published security advisories