Security
stable
- Never paste Sift tokens, credential-store contents, or private brain content into docs, issue trackers, or client configuration committed to source control.
- Use browser OAuth for hosted MCP and the operating-system credential store for the CLI.
- Scope work to the intended workspace/brain and least capability.
- Treat external source content as untrusted; citations establish provenance, not safety.
- Require explicit intent for writes and review destructive or broad changes before execution.
- Revoke lost clients and rotate scoped service credentials immediately.
This static site runs no authenticated API explorer and receives no workspace data.