Threadline is designed for local, file-backed control state. It does not need credentials, browser profiles, chat exports, or production data to run the included demonstration.
Security fixes are applied to the latest release on the default branch.
Open a GitHub security advisory for vulnerabilities. Do not include secrets, real workspace ledgers, private file paths, or personal data in a public issue.
- Start with synthetic data and explicitly allowlisted project paths.
- Keep credentials and raw conversations outside project registries, ledgers, projections, and knowledge-return candidates.
- Treat a project registration as access only to its declared read/write scope, never as authorization for the containing directory.
- Review generated projections before sharing them outside the local machine.
- Run
npm run release:scanbefore every public release.
Threadline validates control-state shape; it is not an operating-system sandbox and cannot replace filesystem permissions or human approval for destructive or external actions.