If you discover a security vulnerability in COREY, do not open a public issue.

Instead, report it privately:

1. Email the maintainers with a description of the vulnerability
2. Include steps to reproduce if possible
3. Allow 72 hours for an initial response

COREY handles credentials and secrets. The following principles guide every design decision:

• Secrets are never logged, printed, or stored in plain text
• Secret values are zeroed from memory after use
• The --json output for secrets never includes values (GitHub does not expose them)
• Variable values are visible by design (GitHub variables are not secret)

• Local credentials use OS keychain (macOS Keychain, Linux libsecret)
• Fallback encrypted file storage uses Argon2 key derivation + AES-256-GCM
• No credentials are written to disk in plaintext

• All GitHub API operations go through the gh CLI, which handles HTTPS/TLS
• No direct HTTP calls are made from COREY
• Repository detection uses local git remote only

• Subprocess arguments never contain secret values inline
• Secret values are passed via stdin pipes to gh secret set
• No shell expansion occurs (all subprocesses use execve-style argv)

• Does not implement its own TLS or HTTP client
• Does not store GitHub PATs or OAuth tokens directly
• Does not bypass gh auth for API access
• Does not transmit credentials to any endpoint other than GitHub (via gh)