Security fixes are applied to the latest main branch.

Please do not open public issues for security vulnerabilities.

Report privately by email with:

• Vulnerability summary
• Reproduction steps
• Impact assessment
• Suggested remediation if available

Maintainers will acknowledge reports within 72 hours and provide status updates.

• Never commit credentials or API keys.
• Use .env.example for placeholder configuration.
• Validate and sanitize all user input.
• Prefer least-privilege service credentials.
• Keep dependencies up to date and monitor advisories.