# AGENTS.md — Security basics

- Never commit secrets. `.env*` is gitignored, secrets injected by the platform.
- Parameterised queries only. No string-concatenated SQL.
- Validate untrusted input at the trust boundary with a schema.
- Passwords: argon2id / scrypt. Tokens never appear in logs.
- No PII in logs.
- Dependency scanners run weekly.