Skip to content

Security: ChenXIXIXIXXI/agentic-vault-kit

Security

SECURITY.md

Security policy

Hard rules baked into the kit

  • No live credentials in Git, ever: full API keys, access tokens, cookies, SSH private keys, passwords, seed phrases, card CVVs, one-time codes, or any config/log that can directly log in, transfer money, or call a paid service. A private repo is not a password manager.
  • Real secrets live in the OS keychain, a password manager, environment variables, or gitignored local files.
  • Any third-party or "free" LLM API key pasted into a chat is treated as already leaked: never written to a file, never committed, never echoed back.
  • Third-party raw data (dictionary dumps, question banks) stays in a gitignored _external-refs/ directory with a tracked curation ledger, so the data is rebuildable but never republished.

Reporting

If you find sensitive data accidentally published in this repository, please open a private security advisory or contact the maintainer; the offending content will be purged from history, not just deleted.

There aren't any published security advisories