Agent Context Bridge reads local agent session files and may generate project-local handoff packets, raw evidence references, encrypted sync bundles, and audit ledgers. Treat those artifacts as sensitive project context.

Please report security issues privately through GitHub Security Advisories:

https://github.com/Yongthyuan/agent-context-bridge/security/advisories/new

If advisories are unavailable, open a minimal GitHub issue that says a private security report is needed. Do not include secrets, raw transcripts, bundle contents, or exploit details in a public issue.

• Remote sync remains disabled by default.
• Native agent history mutation remains disabled by default.
• Raw transcript exposure should stay bounded and explicit.
• Generated runtime state belongs under .agent-bridge/ and should not be committed.
• Encrypted local-directory sync bundles require caller-provided key material.

Reports involving unintended raw transcript exposure, unsafe native writes, weak policy checks, or plaintext sync leakage are high priority.