Security and safe operation
Protect accounts, repositories, credentials, and agent execution.
Protect the account
Use the canonical browser login, keep recovery channels current, and sign out on shared machines. Treat invitations and OAuth consent screens as security decisions: verify the organization, application, and requested scope.
Protect credentials
Use API keys only where they are needed. Prefer expiration and narrow limits, keep secrets outside repositories, and revoke credentials immediately when they are exposed or no longer required.
Protect private source
Private repositories should be accessed only through an authenticated client or browser session. Do not paste private source into public issues, external prompts, screenshots, or support requests. Check the selected owner and repository before sharing a link.
Protect agent execution
Before starting agent-assisted work, confirm the repository, issue, workspace boundary, permissions, and expected landing path. Review commands and diffs, do not approve destructive actions you cannot explain, and keep the resulting changes in a stack reviewable by a human.
Report a problem
For a suspected credential leak, revoke the credential first. Then preserve the relevant timestamps, repository, issue, and review links without copying secrets into the report. Contact your organization administrator or the product support channel with the smallest useful reproduction.