pgcopycat is a local developer tool for PostgreSQL refresh and cloning workflows. Security reports are especially relevant for:

• Credential handling
• Plain-text config persistence
• Unsafe destructive behavior on destination databases
• Command execution and shell interaction
• Unexpected leakage of sensitive data in reports or logs

Please do not open a public GitHub issue for a suspected security vulnerability.

Instead:

1. Contact the maintainer privately through the repository contact channel or private security reporting mechanism, if available.
2. Include a clear description of the issue, impact, affected versions, and steps to reproduce.
3. If possible, include a minimal config or command example with secrets redacted.

If no private reporting channel is available yet, create one before widely publishing the repository or add a dedicated maintainer security email to this file.

Helpful details:

• pgcopycat version or commit
• Operating system
• PostgreSQL version
• Command or config used, with secrets removed
• Expected behavior
• Actual behavior
• Impact assessment

Because pgcopycat supports plain-text passwords for local development:

• Never publish real credentials in issues or pull requests
• Redact connection strings, passwords, hostnames, and dumps before sharing
• Do not commit local config files containing credentials
• Review generated reports before attaching them publicly

This project aims to be conservative by default:

• explicit confirmation before destructive operations
• identity checks between source and destination
• local config files ignored by Git
• early detection of missing tools and extensions

That said, this is a developer convenience tool, not a hardened secret-management product. Use it with care and prefer isolated local or non-production targets whenever possible.