This repository is a local stdio MCP server and governance workspace for:
- Gemini-only model execution
- Next.js App Router + React + Tailwind + shadcn output flows
- repository-local quality gates, runtime governance, and CI container orchestration
Security reports are most useful when they include a clear reproduction path, the affected files or commands, and the expected impact.
This repository is currently public. GitHub private vulnerability reporting is enabled for this repository, and this repository does not currently provide a separate security mailbox or external intake form.
Current reporting path:
- Use GitHub private vulnerability reporting for this repository.
- If GitHub private reporting is temporarily unavailable to you, use the
repository owner contact surface designated in
CODEOWNERSto request a maintainer-confirmed private conversation. - If you already have repository access, keep the first report to the minimum details needed to establish the correct maintainer route.
- If you do not already have repository access, use the owner or organization contact surface first. Do not assume the repository issue tracker is an appropriate intake path for external security reports.
- Do not include exploit details, secrets, private infrastructure data, or proof-of-concept payloads until a maintainer confirms the correct private route for the full report.
If you cannot establish a non-public channel, wait before disclosing exploit details publicly. Public reports should be limited to non-sensitive hardening ideas, configuration questions, or already remediated issues.
Please include:
- affected version, branch, or commit
- impacted command, workflow, or file path
- reproduction steps
- expected vs actual behavior
- security impact assessment
- whether secrets, credentials, or private infrastructure details are involved
This policy does not cover:
- feature requests
- documentation typos without security impact
- upstream vulnerabilities that are already tracked by the upstream project and are not caused by this repository's integration layer
This repository is maintained on a best-effort basis. Acknowledgment and fix timelines are not guaranteed.
Repository-local secret scanning is not enough to claim that public release is safe.
Before any future visibility change or public-release claim, maintainers should also run a full-history audit and review the findings:
npm run security:history:audit
npm run governance:history-hygiene:check
npm run security:oss:audit
npm run release:public-safe:checkImportant boundary:
- a passing current-tree scan does not prove historical Git data is clean
- a failing history audit must be treated as a release blocker until maintainers classify or remediate the findings
governance:history-hygiene:checkproves the current history report is classified; it does not prove provider-side revocation or rewritten history- public repository visibility does not waive this requirement
security:oss:auditadds repo-local TruffleHog, git-secrets, and ScanCode keyfile coverage on top of the history auditsecurity:pii:auditis a separate heuristic tracked-content sweep for email addresses and phone-like contact data; it complements secret scanning but does not replace legal/privacy review.github/workflows/codeql.ymlis the repository-owned CodeQL entrypoint for GitHub code-scanning alerts- live-provider verification remains manual-only and should enter the protected
live-gemini-manualenvironment before repository secrets are exposed to the job