Security and safe operation

Protect accounts, repositories, credentials, and agent execution.

Protect the account

Use the canonical browser login, keep recovery channels current, and sign out on shared machines. Treat invitations and OAuth consent screens as security decisions: verify the organization, application, and requested scope.

Protect credentials

Use API keys only where they are needed. Prefer expiration and narrow limits, keep secrets outside repositories, and revoke credentials immediately when they are exposed or no longer required.

Protect private source

Private repositories should be accessed only through an authenticated client or browser session. Do not paste private source into public issues, external prompts, screenshots, or support requests. Check the selected owner and repository before sharing a link.

Protect agent execution

Before starting agent-assisted work, confirm the repository, issue, workspace boundary, permissions, and expected landing path. Review commands and diffs, do not approve destructive actions you cannot explain, and keep the resulting changes in a stack reviewable by a human.

Report a problem

For a suspected credential leak, revoke the credential first. Then preserve the relevant timestamps, repository, issue, and review links without copying secrets into the report. Contact your organization administrator or the product support channel with the smallest useful reproduction.