# Security Policy

Pi Toolbelt is designed for agent-safe external-service operations. It is not a secret manager and must never receive raw API keys, passwords, tokens, private keys, or cookies in chat or CLI arguments.

## Supported versions

Pre-release. Security reports are accepted for the current `main` branch until the first stable release.

## Reporting a vulnerability

Please open a private GitHub security advisory when available, or contact Victor Apsis through the GitHub profile linked from this repository.

Do not include live secrets in reports. Use redacted examples such as `sk_live_...redacted`.

## Security principles

- **Secret-safe output path**: Toolbelt applies redaction to secret-shaped CLI output before returning results to Pi. Provider results can still contain private operational data, so choose operations intentionally.
- **No secret values in storage**: local state must not persist tokens, keys, passwords, cookies, or full credential-bearing URLs.
- **Secret-shaped input rejection**: CLI and Pi extension input should reject obvious token/password/key material.
- **Read-first default**: provider status, inventory, list, inspect, and logs are the default public operations.
- **Approval-gated mutations**: mutations return `approval_required` unless the user explicitly requests and confirms a mutating operation with a reason.
- **Blocked destructive operations**: irreversible delete/reset/destructive operations should be blocked or double-gated.
- **Local-state isolation in tests**: tests must use temporary Toolbelt homes and must not touch real provider accounts by default.

## What should never be committed

- `.env` or `.env.*` files, except `.env.example`
- provider ledgers or local runtime data
- generated provider caches containing local absolute paths
- API keys, OAuth tokens, cookies, passwords, SSH keys, private URLs with credentials
- Victor-specific local paths or private business data

## Trust boundary

Installing a Pi package gives it local code execution privileges. Users should inspect package source and pin versions when using Toolbelt in sensitive environments.