Security: chrismaz11/IAM_Pilot
Security
Security (Pilot Guardrails)
Never commit private keys, tokens, or credentials containing real PII.
Use environment variables for secrets.
Commit .env.example only. Never create or commit a real .env.
Private keys and API tokens must be provided via environment variables at runtime.
Any local keys generated for development must be written to paths ignored by git (see .gitignore).
Do not paste secrets into issues, PR descriptions, or logs.
This repo must not store real person data.
Test credentials must use synthetic subjects (e.g., did:example:... and placeholder names).
If sample payloads are needed, they must be obviously fake and non-identifying.
Default to minimal logs.
Never log:
full credentials
decoded claim values
raw JWT/JWS tokens
private keys or seed phrases
If debugging verification, log only:
timestamps/durations
cryptographic verification success/failure
credential identifier hashes (non-reversible)
Reporting security issues
Do not open public issues with sensitive details.
If a secret is accidentally committed, rotate it immediately and remove it from git history.
There aren’t any published security advisories
You can’t perform that action at this time.