From 69f2a96e662b38d7df41f66d5fa064458ca72f10 Mon Sep 17 00:00:00 2001 From: Kieran Klaassen Date: Fri, 6 Mar 2026 14:55:20 -0800 Subject: [PATCH] docs: add privacy and security policies --- PRIVACY.md | 38 ++++++++++++++++++++++++++++++++++++++ SECURITY.md | 29 +++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 PRIVACY.md create mode 100644 SECURITY.md diff --git a/PRIVACY.md b/PRIVACY.md new file mode 100644 index 0000000..3edcbfe --- /dev/null +++ b/PRIVACY.md @@ -0,0 +1,38 @@ +# Privacy & Data Handling + +This repository contains: +- a plugin package (`plugins/compound-engineering`) made of markdown/config content +- a CLI (`@every-env/compound-plugin`) that converts and installs plugin content for different AI coding tools + +## Summary + +- The plugin package does not include telemetry or analytics code. +- The plugin package does not run a background service that uploads repository/workspace contents automatically. +- Data leaves your machine only when your host/tooling or an explicitly invoked integration performs a network request. + +## What May Send Data + +1. AI host/model providers + +If you run the plugin in tools like Claude Code, Cursor, Gemini CLI, Copilot, Kiro, Windsurf, etc., those tools may send prompts/context/code to their configured model providers. This behavior is controlled by those tools and providers, not by this plugin repository. + +2. Optional integrations and tools + +The plugin includes optional capabilities that can call external services when explicitly used, for example: +- Context7 MCP (`https://mcp.context7.com/mcp`) for documentation lookup +- Proof (`https://www.proofeditor.ai`) when using share/edit flows +- Other opt-in skills (for example image generation or cloud upload workflows) that call their own external APIs/services + +If you do not invoke these integrations, they do not transmit your project data. + +3. Package/installer infrastructure + +Installing dependencies or packages (for example `npm`, `bunx`) communicates with package registries/CDNs according to your package manager configuration. + +## Data Ownership and Retention + +This repository does not operate a backend service for collecting or storing your project/workspace data. Data retention and processing for model prompts or optional integrations are governed by the external services you use. + +## Security Reporting + +If you identify a security issue in this repository, follow the disclosure process in [SECURITY.md](SECURITY.md). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d8446f9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,29 @@ +# Security Policy + +## Supported Versions + +Security fixes are applied to the latest version on `main`. + +## Reporting a Vulnerability + +Please do not open a public issue for undisclosed vulnerabilities. + +Instead, report privately by emailing: +- `kieran@every.to` + +Include: +- A clear description of the issue +- Reproduction steps or proof of concept +- Impact assessment (what an attacker can do) +- Any suggested mitigation + +We will acknowledge receipt as soon as possible and work with you on validation, remediation, and coordinated disclosure timing. + +## Scope Notes + +This repository primarily contains plugin instructions/configuration plus a conversion/install CLI. + +- Plugin instruction content itself does not run as a server process. +- Security/privacy behavior also depends on the host AI tool and any external integrations you explicitly invoke. + +For data-handling details, see [PRIVACY.md](PRIVACY.md).