Alice v0.1 is local-first. Security posture in this repo is scoped to local runtime defaults and deterministic command paths.

Please report security issues privately by opening a private security advisory in GitHub for this repository. Include:

• affected component/file
• reproduction steps
• impact assessment
• suggested mitigation (if available)

Do not open public issues for active security vulnerabilities.

• Postgres remains the system of record.
• User-owned data paths are RLS-governed.
• Public CLI/MCP/importer surfaces should not bypass trust/provenance boundaries.
• Consequential side effects remain approval-bounded.

• keep .env local and do not commit secrets
• keep local services bound to loopback where possible
• run verification commands before release tagging