Vader Engine v2.6.1 enforces a zero-leak environment contract: live credentials never belong in committed files or public issues.
Do not open a public GitHub issue for security vulnerabilities.
Use a private security advisory on this repository. That channel keeps details confidential until a fix is ready.
We will acknowledge receipt and work on remediation. Please allow reasonable time before public disclosure.
| Rule | Detail |
|---|---|
| Live secrets | Only in untracked .env.local (gitignored) at repo root and sandbox paths |
| Committed contract | .env.example and MCP placeholders (YOUR_*, CHANGE_ME) — never real tokens |
| Script hydration | All scripts/*.mjs import scripts/lib/msc-load-env.mjs first (.env.local → .env.example) |
| Pre-commit | msc:validate-env and verify:mcp run on every commit (Husky) |
| MCP portability | .cursor/mcp.json uses "${workspaceFolder}" — no machine-specific paths in Git |
Agents and operators must reference variable names only in chat and logs — never paste API keys, passwords, or PATs into issues or pull requests.
Security fixes are applied on the current v2.x line on main. Tagged releases: releases.
- README — Security & compliance
- TRUTH.md — zero-leak and MCP rules
- env-ingestion-compliance
- CONTRIBUTING.md — Dependabot and security