Please do not open public issues for security vulnerabilities.

Contact the operator of your DocAgent instance (the team who runs it) and include:

• affected instance URL
• reproduction steps (no secrets)
• impact assessment

• Keep DocAgent behind HTTPS (TLS).
• Rotate GITHUB_WEBHOOK_SECRET if it is ever exposed.
• Do not commit .env, private keys, or database files.
• Restrict who can access the dashboard (SSO / password / network policy).
• Use least-privilege GitHub App permissions needed for your features.

DocAgent is designed to be conservative:

• Auto-fix (commits) is off by default
• Merge blocking (CI Gate) is off by default
• Dry-run guarantees no commits and no merge blocking