Mako is pre-1.0 local-first developer tooling. The current supported branch is main.

Use the public repository's private vulnerability reporting channel when it is enabled. If private reporting is unavailable, contact the maintainer through the repository owner profile and avoid posting exploit details publicly until there is a fix or mitigation.

Do not include live API keys, database URLs, Supabase service-role keys, customer data, or private repository contents in a public issue.

Mako stores project indexes, snapshots, tool runs, review notes, and Reef facts in local SQLite databases. Those files are runtime state and should not be committed or attached to public issues unless they are synthetic fixtures created specifically for reproduction.

Live database tools should remain read-only unless a tool explicitly states that it writes to Mako's local project store. Local review tools such as db_review_comment do not mutate the live database.