If you discover a security issue in HomeBase DevShell / DevReady:

1. Do not open a public issue for exploitable vulnerabilities.
2. Use GitHub Private vulnerability reporting (preferred).
3. Include:
   • description and impact;
   • steps to reproduce;
   • affected commands or scripts;
   • version from devshell version or modules/KGreen.Workstation.psd1 ModuleVersion.

In scope:

• Product CLI: install, health, doctor, privacy, repair (-Fix)
• Destructive module commands (restoreconfig, cleanup, backup rotation)
• Profile / terminal deployment scripts
• PGP key handling (pgp-*)
• Privacy repair scripts (registry/DNS)
• Path / module load issues leading to privilege or data loss

Out of scope:

• Tor network anonymity guarantees
• Third-party tools installed via winget
• Misuse on systems you are not authorized to manage

• Intended for systems you own or may manage.
• Microsoft Defender AV is never enabled by this project.
• Run backupconfig before destructive module operations.
• Use -WhatIf on cleanup where supported.

GitHub CodeQL does not support PowerShell (tracking issue). CI uses PSScriptAnalyzer (script-analysis job) plus smoke tests instead.

• MANIFESTO — trust boundaries
• PROJECT-PRINCIPLES — repair and privacy rules
• RELEASE-CRITERIA — release gates