If you discover a security vulnerability in RevSignal, please do not open a public issue.

Instead, email security@artificialartz.xyz with:

• A clear description of the issue
• Steps to reproduce (proof-of-concept welcome)
• The version / commit hash where you observed it
• Your name / handle if you want public credit in the fix notes

We aim to acknowledge reports within 72 hours and to ship a fix or a documented mitigation within 14 days for high-severity issues.

In scope:

• This repository (revsignal) — code, configuration, documentation
• Reference n8n workflows published here
• The public demo at signal.artificialartz.xyz

Out of scope:

• The private revsignal-core repository
• Customer or prospect data (we do not process such data through the public demo)
• Third-party services we depend on (report directly to Bright Data, Anthropic, n8n, etc.)

This project is open source. No secret may be committed, including:

• API tokens (Bright Data, Anthropic, Runware, Telegram, n8n)
• Database credentials
• Private webhook URLs
• Customer or prospect data

Use .env.example as the template; real values belong in a local .env file (gitignored) or in your secrets manager.

Pre-commit secret scanning is recommended. We run gitleaks on every push and PR via GitHub Actions; see .github/workflows/secret-scan.yml.

If you believe a secret has been committed by accident:

1. Rotate the secret immediately at the source (do not assume an unindexed force-push has erased it).
2. Email security@artificialartz.xyz so we can purge it from history.

We follow coordinated disclosure. Please give us a reasonable window to fix issues before going public; in return, we will credit you in the changelog and the fix commit (if you want public credit).

Thank you for helping keep RevSignal safe.