This repo is designed so the shared codebase stays publishable while real operator state stays local.

• Keep product-specific runtime state under gitignored projects/<slug>/.
• Prefer per-project .env files for credentials.
• Treat cookies, screenshots, staged outputs, and trackers as local-only artifacts.
• Re-run onboarding on the current machine instead of moving browser cookies between machines.
• Do not put live passwords, API keys, or session exports in tracked root files.

• Shared runtime code in src/
• Starter assets in starter-assets/
• Dependency lists in requirements/
• Operator docs like README.md, AGENTS.md, CLAUDE.md, and projects/README.md

• projects/<slug>/**
• .env
• browser cookie exports
• run logs
• action artifacts
• screenshots
• local virtualenvs and caches

1. Put credentials in projects/<slug>/reddit/.env or projects/<slug>/x/.env
2. Run onboarding
3. Let the browser automation save fresh local cookies inside the active project
4. Use safe mode and staged review before live posting

Config-based passwords are supported for local convenience, but they should still live inside gitignored project files. .env is the safer default.

If you find a security issue in the shared repo surface, document the exact file and behavior, then fix or isolate it before pushing the repo to a remote. For this repo, the expected standard is "safe to publish the scaffolding, unsafe to publish project state."