This project is currently in active development. All versions are considered to be in beta and should be used with caution in production environments.

If you discover any security vulnerabilities, please report them by creating a new issue in this repository. We take all security reports seriously and will respond as quickly as possible to address any issues.

• Never commit sensitive information such as API keys, passwords, or tokens to the repository
• Use environment variables for configuration
• Store secrets in .env files (which are included in .gitignore)
• Use GitHub Secrets for CI/CD pipeline

• Regularly update dependencies to their latest secure versions
• Use Dependabot to automatically create pull requests for dependency updates
• Review and audit dependencies for known vulnerabilities

• All changes must be reviewed by at least one other team member
• Pay special attention to security-sensitive areas (authentication, authorization, data validation)
• Use static analysis tools to identify potential security issues

Before submitting a pull request, please ensure:

• No sensitive information is included in the code or commit history
• All dependencies are up to date
• New dependencies have been vetted for security
• All tests pass
• Security scanners (gitleaks) pass
• Documentation has been updated if necessary

This repository uses the following security tools:

• gitleaks - For detecting hardcoded secrets
• GitHub's built-in secret scanning
• Dependabot for dependency updates and security alerts

• Enable branch protection for the main branch
• Require pull request reviews before merging
• Require status checks to pass before merging
• Do not allow force pushes to the main branch
• Require linear history