If you discover a security vulnerability, please report it responsibly:

1. DO NOT open a public issue.
2. Email the maintainer directly or use GitHub's private security advisory feature.
3. Include a description of the vulnerability, steps to reproduce, and potential impact.

Only the latest version on the main branch receives security updates.

• All dependencies are audited for known vulnerabilities.
• Secrets are never committed to the repository.
• CI pipelines scan for hidden Unicode and secret patterns.
• Agent safety policies restrict AI access to sensitive files.