FileMaker admins evaluating third-party tool against production data have three immediate questions: where do credentials live, what does the extension send out, what's the blast radius in an untrusted workspace. Short SECURITY-summary block in listing README answers all three before they have to dig through SECURITY.md.
{
"scope": [
"Add new ## Security & Trust section to extension/README.md placed after Product Tour and before existing feature/usage sections. Four short bullets: (1) passwords stored in OS keychain via VS Code Secret Storage API",
"(2) no telemetry + no required cloud account (restate under security heading)",
"(3) read-only default in Restricted/untrusted workspaces",
"(4) link to full SECURITY.md for vulnerability reporting. Each claim must be factually accurate against current code — verify by grepping for SecretStorage",
"telemetry flags",
"isTrusted/untrusted-workspace handling before writing. If any claim does not hold",
"file follow-up issue + weaken bullet rather than overstating. Keep section under 12 lines so it does not push feature list below the fold."
],
"depends_on": [],
"done_when": [
"extension/README.md on main contains ## Security & Trust section with four bullets, each claim verifiable from extension source, section appears above feature/usage content on rendered Marketplace listing."
],
"validation": {
"local": [],
"review": []
},
"references": [],
"surfaces": [],
"artifact_expectations": [],
"review_points": []
}
FileMaker admins evaluating third-party tool against production data have three immediate questions: where do credentials live, what does the extension send out, what's the blast radius in an untrusted workspace. Short SECURITY-summary block in listing README answers all three before they have to dig through SECURITY.md.