Security and Permissions
Safety note: Never paste secrets,
.envvalues, or production tokens into AI prompts or shared screenshots.
- Do not paste secrets into prompts.
- Do not expose
.envfiles. - Do not grant broad filesystem access without review.
- Treat MCP servers as privileged.
- Review diffs before committing.
- Avoid auto-running destructive shell commands.
- Use least privilege.
- Prefer read-only access first.
- Document approved tools.
- Avoid unapproved third-party extensions for private code.
Team tip: Use this repo as the public baseline, then move company-specific tool approvals and MCP allowlists into a team fork.