• Do not commit market-data keys, broker credentials, private notes, or provider secrets.
• Keep local provider configuration in .env.
• Treat research output as untrusted until reviewed.
• Keep sensitive research notes in ignored private folders.

Report security concerns to shawsignaldev@proton.me.