AgentKanban can connect to AI provider credentials, Cloudflare resources, and private workflow data. Treat security reports seriously even while the project is early.

The main branch is the supported development line.

Do not open a public issue for secrets, auth bypasses, data exposure, or infrastructure access problems.

If you find a security issue:

1. Open a private security advisory on GitHub if available.
2. Include a minimal reproduction and affected files or endpoints.
3. Avoid including live secrets in the report.

Expected first response target: within 7 days.

• Never commit .env, .dev.vars, API keys, bearer tokens, or private customer data.
• Keep .env.example placeholder-only.
• Rotate any secret that appears in logs, screenshots, snapshots, or issue comments.
• Remember that VITE_* values are bundled into browser builds and should not be treated as private.

Before making a deployment public:

• Use a non-production D1 database.
• Keep HEARTBEATS_PAUSED=true until the runtime is verified.
• Use a separate API secret for demos.
• Review snapshots and logs for exported sensitive content.