# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| >= 1.0.0 | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability, please:

1. **Do not** open a public issue
2. Email the maintainer directly or use GitHub's private vulnerability reporting
3. Include:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

## What to Expect

- Acknowledgment within 48 hours
- Status update within 7 days
- Fix timeline depends on severity

## Security Considerations

This plugin handles OKR data which may contain sensitive organizational information:

### Data Handling

- All processing happens locally in Claude Code
- No data is transmitted to external services (except configured integrations)
- Linear integration uses your own API credentials

### Sensitive Files

The following files contain sensitive data and are gitignored:

| File | Contents |
|------|----------|
| `.claude/okr.local.md` | Linear API configuration, team settings |
| `.mcp.json` | MCP server credentials |

### Best Practices

- Never commit `okr.local.md` to version control
- Use environment variables for API keys when possible
- Review OKR content before sharing externally
- Consider data classification when tracking sensitive objectives

## Linear Integration Security

If using Linear integration:

- API keys are stored locally in `okr.local.md`
- Use team-scoped API keys, not personal tokens
- Rotate keys periodically
- Review Linear's security documentation