If you discover a security vulnerability in AIF Handoff, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email security concerns to the maintainers or use GitHub's private vulnerability reporting.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix release: as soon as possible, depending on severity

• The Agent SDK uses local ~/.claude/ credentials or an API key via ANTHROPIC_API_KEY
• The SQLite database is stored locally in data/ — ensure appropriate file permissions
• The WebSocket endpoint has no authentication — intended for local development use
• Never commit .env files or API keys to the repository

• CI security gate for shipped/runtime risk uses npm audit --omit=dev.
• Full npm audit may include dev-tooling findings (for example migration/lint/build chains) that do not ship in runtime artifacts.
• Dev-only findings are triaged separately and may be tracked as accepted risk with periodic re-evaluation.