Report security issues privately to the maintainers before opening a public issue.
Do not include secrets, tokens, private keys, private repository URLs, or personal data in public reports.
ACR v0.1 is designed to be safe to commit to Git by default.
Forbidden by default:
- raw prompts
- raw model transcripts
- secrets
- environment variables
- access tokens
- private keys
- full shell output
- authenticated URLs
- unnecessary personal data
Allowed by default:
- short summaries
- artifact paths
- artifact hashes
- tool names
- command names
- exit codes
- redacted logs
- policy rule ids
- verification status