Secrets
Bindhub should block unsafe secret capture before object writes. Treat credentials, tokens, private keys, local database URLs, and service tokens as local environment data unless a reviewed policy says otherwise.
Generated files and overlays
Dependencies, caches, build output, editor state, and machine-specific configuration can be useful, but they are not always source. Bindhub should make overlay state explicit so restoring a folder does not silently import unsafe local clutter.
Auth and session boundary
Browser code should not send WorkOS access tokens directly to the hosted Bindhub API. The dashboard server verifies the WorkOS session, performs a server-to-server exchange, and uses the returned Bindhub session token and device id for dashboard reads.
Sparse storage caveats
Chunk vocabulary and cache metadata do not mean sparse clone is complete. Remote protocol v2, chunk transfer, compression, lazy materialization, and OS virtual filesystem work remain later steps.
Operational rule
Bindhub should never pretend bytes are local when cache metadata says they are remote-only or partial. Hydration state is part of the trust boundary.
Agent work
Agents should work in sandboxes or explicit workspaces and merge through reviewed boundaries. Generated patches, dependency changes, and local tool output should stay visible to the human who owns the folder.