This repository is documentation and templates only. Apply security practices to
projects you generate from template/ or samples/.
Do not open a public issue for sensitive reports.
- Open a private security advisory on GitHub (Security → Advisories → Report a vulnerability), or contact the maintainers through the repository’s GitHub profile — do not post secrets in issues.
- Include steps to reproduce and impact assessment.
- Allow reasonable time for a fix before disclosure.
- Never commit
.env, API keys, connection strings, or customer data. - Run
scripts/leak-scan.shbefore every push to a public remote. - Use provider secret managers in staging and production (
[-stage env],[-prod env]). - Rotate credentials if they were ever pasted into an AI chat session.
When using Cursor, Claude, or other agents:
- Do not paste production
DATABASE_URLor admin tokens into prompts. - Use
pnpm run db:validateon local profiles only. - Surface exact cloud commands for human approval before prod changes.