- Never hardcode credentials or secrets.
- Never print secrets in logs.
- Ask before touching auth, payments, crypto, or compliance paths.
- Prefer additive edits over destructive changes.
- If a potential secret leak is found, stop and report immediately.
- Provide a minimal remediation plan with verification steps.