AiCLI is local-first, but the Mac Bridge can run provider CLIs, local model requests, setup commands, and future agent actions. Treat it as a trusted local developer service.

For the current security model, supported auth behavior, permission gates, workspace constraints, and reporting guidance, see docs/SECURITY.md.

The Bridge should stay on localhost or a trusted private network such as Tailscale. Do not expose it directly to the public internet.

Before public release, report security issues privately to the project owner. Do not open public issues that include secrets, tokens, private logs, or exploit details.

• Choose and publish an official security contact.
• Confirm the final license.
• Re-run the GitHub release checklist before publishing.