Agent Continuity is designed to avoid collecting secrets and personal work history. It still writes project-local notes, so treat those notes as source files that deserve review before publishing.
Security fixes are handled on the default branch until versioned releases are added.
Use GitHub private vulnerability reporting when available. If the repository does not have private reporting enabled, open a minimal public issue that describes the affected area without including secrets, tokens, private URLs, or customer data.
Do not include sensitive values in bug reports, examples, screenshots, logs, fixtures, or pull requests.
Sensitive values include credentials, environment values, private URLs, customer data, personal identifiers, raw chat transcripts, and local home paths.
Before merging a release-facing change:
- Run
python scripts/privacy-scan.py .. - Review changed examples manually for synthetic data only.
- Confirm generated images contain no readable paths, logs, keys, names, or screenshots.
- Confirm the installable skill remains small and does not include private project documentation.