Autonomous Procurement Agent

1. Always set LS_WEBHOOK_SECRET in production — the server refuses to start without it. There is no bypass flag. 2. OPENAI_API_KEY is opt-in — without it, no quote content is ever sent to any external API. 3. Import your historical price baseline before using F2 — without it, F2 spike detection uses a conservative built-in table. 4. Keep PARSER_DATA_DIR backed up — data/licenses.json is the source of truth for all license state. 5. Do not commit data/licenses.json to git — add it to .gitignore. License records are per-install, not per-repo. 6. Use PROCU_ALLOWED_TIER only in local dev — it bypasses webhook signature validation and must never be set in production. 7. Webhook logs are sanitised automatically — sanitize() redacts email addresses and API keys before writing logs. 8. Review F2 spike alerts promptly — F2 is silent until a spike is detected; configure alerts accordingly.