If you discover a security issue in this repo (a spec or scaffold that leaks secrets, a script that mishandles credentials, or anything else with security implications), please do not open a public issue.

Instead, email support@polarity.so with:

• A description of the issue.
• Steps to reproduce.
• The affected file(s) at a specific commit SHA.
• Your name (so we can credit you, if you'd like).

We aim to acknowledge reports within 2 business days and to publish a fix within 30 days for confirmed issues.

This repo contains:

• Markdown scaffolds and YAML specs: design artifacts with no runtime privileges.
• One Python agent: agents/stripe-refund-aud/agent.py, stdlib-only, executes inside Keystone sandboxes only.
• Helper scripts under scripts/: linters; no network access.

It does not contain:

• Production secrets. The .env file is gitignored.
• Credentials, tokens, or service account keys.
• Code that talks to user-facing services other than Keystone and (optionally) xAI / Anthropic / OpenAI APIs that the test agents call.

If you believe something in this repo is leaking a credential, that's a confirmed vulnerability. Email immediately.

• Issues in upstream Keystone (Polarity's platform). Report those via Polarity support.
• Issues in third-party APIs the agents call (xAI, Anthropic, OpenAI). Report to those vendors.
• Hypothetical vulnerabilities in agent code generated by AI coders following the scaffolds. Those are the responsibility of whoever wrote and uploaded the agent; this repo only ships the scaffold (description), not the implementation.