# Security & Safety

## Secrets
- Never output secrets or tokens.
- Never log sensitive inputs.
- Never commit credentials.

## Inputs
- Validate external inputs at boundaries.
- Fail closed for auth/security decisions.

## Tooling
- No destructive commands unless requested and scoped.
- Prefer read-only operations first.