Please do not open a public issue for security problems.

Use GitHub's private vulnerability reporting (the Security tab → Report a vulnerability). You'll get an acknowledgement, and a fix or mitigation will be coordinated before public disclosure.

agent-discipline is a standard and an audit skill. It ships:

• Markdown (the standard, references, docs) — no executable risk.
• A skill (skills/audit-setup/SKILL.md) that instructs a coding agent to read config files and produce a report. It is designed to be read-only; it does not modify your config unless you explicitly ask it to apply fixes.
• templates/settings.reference.json — a reference harness config whose hook entries (./hooks/*.sh) are placeholders, not implementations. Do not assume they do anything until you write them. Treat any hook you add as code that runs on your machine.

The deny-list patterns in the reference are safe to adopt as-is. The hook commands are illustrative — review and implement them yourself before relying on them.

This repo has no runtime dependencies. If that changes, dependencies will be vetted per the standard's own AD-9.