SherpaMind

This repository appears internally consistent with its SherpaDesk-backend purpose, but before installing or enabling live sync: - Review scripts/bootstrap.py and scripts/run.py (and the systemd unit content produced by install-service) so you know exactly what will run and when. - Keep the workspace (the directory containing .SherpaMind/) somewhere private and outside any git-tracked repo; do not commit .SherpaMind/ or its secrets. Confirm .gitignore excludes .SherpaMind/. - The staged API key is stored in plaintext under .SherpaMind/private/secrets/sherpadesk_api_key.txt — use a least-privilege API token and be prepared to rotate it if it is ever exposed. - The tool will create a local SQLite DB and may generate public Markdown artifacts under .SherpaMind/public/; do not serve those files or move them to a public location if they contain sensitive derived data. - The bootstrap process will pip-install dependencies from PyPI; run bootstrap-audit first and consider doing the initial run in an isolated environment or VM if you want to inspect behavior safely. - If you plan to enable the optional user-level systemd service, inspect the generated unit and logs and only enable it when comfortable with ongoing background network calls to SherpaDesk. If you want extra assurance, run the bootstrap and initial seed in a disposable environment, confirm the files written and requests made, then proceed to use in production with the mitigations above.