Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are applied to the latest active branch (main) first.

Reporting a Vulnerability

Please do not open public issues for vulnerabilities.

Report via repository security advisory or private contact with:

affected version/commit
reproduction steps
impact scope
suggested mitigation (if available)

We will acknowledge receipt and provide triage status.

Scope highlights

Local runtime and approval paths
Token/session handling
Tool and MCP boundaries
External connector handling (if configured)

Out of scope

Misconfiguration on publicly exposed hosts without recommended controls
Third-party runtime bugs outside this repository

There aren’t any published security advisories