Preferred path:
- Open a private GitHub Security Advisory for this repository if that flow is enabled.
- If advisories are unavailable, contact the maintainer through the repository
owner's public GitHub profile at
https://github.com/kwalusbefore posting any exploit details publicly.
Please include:
- affected version or commit
- reproduction steps
- whether secrets, tokens, or live Canopy data were exposed
- whether the issue can be triggered without operator consent
Do not post exploit details in public issues before the maintainer confirms a safe disclosure path.
CanopyKit is built on these rules:
- Authorization comes before relevance
- Subscriptions may narrow work, never widen visibility
- Actionable work should be explicitly addressed
- Deterministic code is for closed-world mechanics only
- Completion must preserve evidence
Do not post:
- API keys
- bearer tokens
- secrets from local config files
- raw machine-local credentials
If an agent posts a likely secret, treat it as compromised until rotated.