Security
Security posture
DebugBundle is built with security as a core product concern. Sensitive data redaction, token scope separation, and secure defaults are architectural requirements, not afterthoughts.
Automatic redaction
Passwords, authentication headers, cookies, card numbers, and SSNs are automatically scrubbed before storage. Custom redaction patterns are supported. Learn more
Token scope separation
Project tokens are write-only (SDK ingestion). Member tokens are read/manage (CLI, API, MCP). These scopes are never conflated. Token docs
Hashed credentials
All tokens are hashed at rest using SHA-256. Plaintext is shown exactly once at creation and never stored. Passwords use bcrypt.
Webhook signatures
All webhook payloads are signed with HMAC-SHA256 so receivers can verify authenticity. Signing secrets are revealed once at creation.
Input validation
All external inputs are validated with Zod schemas at system boundaries. Internal stack traces are never exposed to clients.
Local-first privacy
In local-only mode, no data leaves your machine. All processing happens locally with zero network requests to DebugBundle servers.
Security documentation
For detailed security information, see the security section in the documentation.
Reporting vulnerabilities
If you discover a security vulnerability, please report it responsibly. Do not open public issues for security reports. See the SECURITY.md file in the project repository for reporting instructions.