If you discover a security issue, please email hemantdhamija@gmail.com with the subject [security] <short description>. Do not open a public GitHub issue for unpatched vulnerabilities.

You can expect:

• An acknowledgement within 48 hours.
• An assessment within one week.
• A fix or mitigation plan within two weeks for valid reports.

• The Python source under agents/, orchestrator/, ui/, utils/.
• Build configuration: requirements.txt, requirements-dev.txt, pyproject.toml.
• Sample logs in sample_logs/ (these are synthetic — but report any accidental real data).

• Issues in upstream dependencies (LangGraph, LangChain, Streamlit, slack-sdk, jira-python). Report those to the respective projects.
• Issues in third-party services we integrate with (OpenRouter, Slack, JIRA).

• Secrets never enter the repo. .env is gitignored; all required vars are documented in .env.example with empty values.
• Logging is filtered. utils/redaction.py installs a logging.Filter at application startup that scrubs Slack tokens, OpenAI/OpenRouter keys, JWTs, URLs containing secret query params, email addresses, and IPv4 addresses before any handler emits a record.
• Input is validated. Uploaded log files are size-capped (5 MB) and extension-checked (.log .txt .json .csv).
• HTTPS is enforced for the JIRA API URL — Basic auth credentials never travel over plaintext.
• No eval, exec, subprocess(shell=True), or pickle.load on untrusted data anywhere in the codebase. Verified by manual review on every significant change.