If you discover a security vulnerability in this repository's reference tools, please do NOT open a public GitHub issue. Instead, use GitHub's private vulnerability reporting so the maintainers can triage privately:

Contact: https://github.com/Clarethium/lodestone/security/advisories/new

You can expect:

• Acknowledgement within 7 days
• Initial assessment within 14 days
• Coordinated disclosure timeline based on severity

Lodestone is primarily a methodology manuscript (CC-BY 4.0). The security-relevant surface is the small set of reference tools shipped alongside it.

In scope:

• tools/lodestone-score.py: the reference scoring CLI
• tools/lodestone-pretool-hook.sh: the reference Claude Code PreToolUse hook
• scripts/canon_audit.sh and the CI workflow that runs it

A security issue here would be, for example, a tool that executes untrusted input, leaks a path or secret it should not, or a hook that runs attacker-controlled commands.

Out of scope:

• The manuscript text itself. It is prose under CC-BY 4.0; disagreements with the methodology are not security issues.
• The behavior of any AI system a reader chooses to apply the methodology to. Lodestone describes practice; it does not execute on your behalf.

The latest published version of the manuscript and tools is supported. Fixes ship on the main branch.

Vulnerabilities are disclosed via GitHub Security Advisories. Credit is given to reporters who choose to be acknowledged.