- Restrict repo hosting endpoints to trusted users.
- Use key-based SSH access and remove inactive accounts.
- Limit administrative commands to privileged operators.
- Enforce code review before accepting incoming changes.
- Use signed changesets where supported by workflow.
- Protect release branches from unauthorized rewrites.
- Keep Mercurial and extensions updated.
- Backup repositories and validate restoration.
- Monitor for unusual push/pull activity spikes.