If you discover a security vulnerability, do not open a public issue. Instead, use GitHub's Security Advisory feature to report it privately.
| Document | Description |
|---|---|
| ETHOS | Builder principles including User Sovereignty — AI recommends, humans decide |
| CONTRIBUTING | Contribution guidelines with security review requirements |
| The Githubification | How the GitHub-as-runtime model handles security boundaries |
- Authorization: Only users with
admin,maintain, orwritepermissions can trigger the agent - Bot-loop prevention: Agent detects its own comments to prevent infinite loops
- Credential isolation: All API keys stored as GitHub Secrets, never hardcoded
- Audit trail: Every agent action is committed to git for full traceability
- Public repos: Session history is visible to everyone — use a private repo for sensitive work
Only the latest version on the main branch is actively supported with security updates.