If you discover a security vulnerability in Precursor Sync Agent, please report it responsibly:

• Email: security@example.com
• Response Time: Within 48 hours

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if available)

• Do not open GitHub issues for security vulnerabilities
• Do not discuss vulnerabilities in public forums
• Do not share exploit code publicly

• GitHub Personal Access Tokens are handled securely
• Tokens are never logged or stored permanently
• Use environment variables when possible

• Plan data is processed locally only
• No data is transmitted to external services except GitHub
• Audit logs remain local to your repository

• Regular security audits via npm audit
• Automated dependency updates via Dependabot
• Minimal dependency footprint

1. Token Security

   • Use tokens with minimal required scope (repo)
   • Rotate tokens regularly
   • Never commit tokens to version control

2. Network Security

   • Only fetch plans from trusted URLs
   • Validate SSL certificates
   • Use HTTPS for all external requests

3. File System

   • Tool operates only within the target repository
   • Creates files with appropriate permissions
   • Validates file paths to prevent traversal attacks

We appreciate responsible disclosure of security vulnerabilities and will acknowledge contributors (with permission) in our security advisories.