This document outlines the security practices and considerations for the genero-tools project.

This is a public repository focused on code analysis and metadata extraction. Security is maintained through careful handling of sensitive data and secure development practices.

The project does not store, process, or require:

• API keys or credentials
• Passwords or authentication tokens
• Personal Identifiable Information (PII)
• Database connection strings with credentials
• Private configuration data

The .gitignore file is configured to prevent accidental commits of sensitive files:

# Environment and secrets
.env
.env.local
.env.*.local
*.key
*.pem
*.p12
*.pfx
*.crt
*.cer
*.pub
secrets.json
config.local.json

# Generated output files
workspace.json
modules.json
codebase_index.json
*.db

This ensures that even if developers accidentally create sensitive files, they won't be committed to the repository.

The project analyzes Genero/4GL source code to extract:

• Function signatures and metadata
• Call graphs and dependencies
• Code metrics and complexity
• File headers and references

Important: The analysis is performed on source code only. No execution or evaluation of code occurs.

SQLite databases generated by this tool:

• Are created locally on the developer's machine
• Are not committed to the repository (excluded by .gitignore)
• Contain only metadata extracted from source code
• Do not contain sensitive data

1. Exclude sensitive files - Don't analyze codebases containing hardcoded credentials
2. Review .gitignore - Ensure your sensitive files are properly excluded
3. Local processing - Run analysis locally; don't upload generated databases to public repositories
4. Access control - If analyzing proprietary code, ensure proper access controls are in place

1. Temporary artifacts - Generated databases should be temporary and not committed
2. Secure storage - Store analysis results in secure locations if needed
3. Access logs - Monitor who accesses analysis results
4. Data retention - Delete analysis results when no longer needed

If you discover a security vulnerability in this project:

1. Do not open a public issue
2. Do not commit sensitive data to demonstrate the issue
3. Contact the maintainers privately with details
4. Allow time for a fix before public disclosure

• Never commit .env files or configuration with credentials
• Use environment variables for sensitive configuration
• Review .gitignore before committing
• Use git diff --cached to review changes before committing

• Regularly review .gitignore for completeness
• Monitor commits for accidental sensitive data
• Use branch protection rules
• Require code review before merging
• Keep dependencies up to date

• Review the source code before running on sensitive codebases
• Understand what data is being extracted and stored
• Implement proper access controls for analysis results
• Follow your organization's security policies

This tool:

• Does not collect or transmit any data
• Does not require internet connectivity
• Does not phone home or send telemetry
• Operates entirely locally on your machine

The project is designed to be compatible with:

• GDPR - No personal data collection or processing
• HIPAA - No health information handling
• SOC 2 - Local processing, no data transmission
• ISO 27001 - Secure development practices

As the project evolves:

• Security practices will be reviewed and updated
• New features will be evaluated for security implications
• Dependencies will be kept minimal to reduce attack surface
• Code will be regularly audited for vulnerabilities

If you have security concerns or questions about this project's security practices, please contact the maintainers privately.