nsug is currently in alpha. Security fixes are only guaranteed for the latest state of the default branch until tagged releases are published regularly.

• Do not open public GitHub issues for suspected vulnerabilities.
• Report security issues privately to eng@nsug.dev.
• Include reproduction steps, impact, affected commit or version, and whether the issue requires local access, a malicious workspace, or network access.

• The plugin and server are intended for local development workflows.
• If you configure a remote server or remote model endpoint, treat all code sent to that endpoint as data leaving your machine.
• Completion requests may include the current buffer, surrounding context, recent file metadata, workspace paths, and content from other open buffers in the same workspace.
• Auto-downloaded server binaries are checksum-verified, but checksum files and binaries come from the same release source. Use only trusted releases.

• Keep server.host on 127.0.0.1 unless you intentionally expose the server.
• Avoid using nsug on sensitive repositories until your endpoint, retention, and logging policies are reviewed.
• Never commit local config files, prompt dumps, API keys, or runtime data.