If you discover a security vulnerability in Kindling, please report it privately rather than opening a public issue.

Email: security@eddacraft.ai

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

We take all security reports seriously and will respond promptly.

This policy applies to all packages in the Kindling repository:

Package	npm
@eddacraft/kindling
@eddacraft/kindling-core
@eddacraft/kindling-cli
@eddacraft/kindling-store-sqlite
@eddacraft/kindling-store-sqljs
@eddacraft/kindling-provider-local
@eddacraft/kindling-server
@eddacraft/kindling-adapter-opencode
@eddacraft/kindling-adapter-pocketflow
@eddacraft/kindling-adapter-claude-code

During the v0.x development phase, only the latest version receives security updates.

Once we reach v1.0, we will maintain security updates for the current major version and one prior major version.

Kindling is designed as a local-first tool:

• All data is stored locally in SQLite
• No data is sent to external services
• No network connections are made by the core packages

Kindling captures development activity which may include:

• Tool call arguments and results
• Command output
• File diffs
• Error messages and stack traces

Automatic protections:

• The OpenCode adapter includes automatic secret redaction
• Content is truncated to prevent excessive storage
• Certain file paths are excluded by default

User responsibilities:

• Review captured observations periodically
• Use redaction for accidentally captured secrets
• Secure the SQLite database file appropriately

The SQLite database file contains all captured observations. Users should:

• Restrict file permissions appropriately
• Consider encryption for sensitive environments
• Include the database in backup strategies