Project Context Compiler is local-first software that can process raw project history, chat exports, and repository metadata. Treat those inputs as sensitive.

Please report security issues privately through the repository owner's preferred private contact channel. Do not open public issues for credentials, private paths, raw conversation dumps, or data exposure reports.

• Keep .agent/, SQLite stores, raw JSONL session exports, provider logs, and local cache directories out of public commits.
• Rotate any credential that was accidentally passed through a local memory store or fixture.
• Use synthetic fixtures for public tests.
• Review generated reports before sharing them outside a private workspace.

The public repository starts at the first public snapshot. Security fixes target the current main branch unless a release branch is explicitly maintained.