Handbook
Security and responsible use
This aligns with CONTRIBUTING.md and the Responsible use section of the repo README.
Updated
Secrets and configuration
- Do not commit API keys, tokens, or raw
.envcontents into docs, tests, or examples. - Prefer environment profiles documented in Model routing and local-only files ignored by git.
- Library code should not log full authorization headers or secrets.
Content and automation
Use LCDL only on material you have rights to automate (internal QA, owned practice content, authorized ingestion). Do not use tasks to bypass paywalls, logins, CAPTCHA, rate limits, proctoring, or anti-abuse controls.
Browser and MCP
Playwright and MCP integrations run in consumer-controlled contexts; policy (allowed hosts, headless vs headed) is a consumer concern.
Observability
When adding logging, redact secrets and large payload bodies in shared environments.