If you discover a security vulnerability in this project, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email the maintainers directly at the address listed in the repository contact information, or use GitHub's private vulnerability reporting.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment within 48 hours
• Status update within 7 days
• We will coordinate disclosure timing with you

This project is a research simulation framework. Security concerns include:

• Code injection via YAML scenario files or agent configurations
• Dependency vulnerabilities in third-party packages
• LLM API key exposure through logging or error messages
• Arbitrary code execution through agent or plugin mechanisms

• CodeQL static analysis runs on every push and weekly
• Dependabot monitors dependencies for known vulnerabilities
• YAML loading uses yaml.safe_load (no arbitrary object instantiation)
• LLM API keys are read from environment variables, never stored in config files