We publish security fixes for the latest minor release on main. Older tags may not receive backports.

Please do not open public GitHub issues for undisclosed security bugs.

Instead, email security@example.com with:

• A description of the issue and its impact
• Steps to reproduce (proof-of-concept if possible)
• Affected versions or commit SHAs

We aim to acknowledge reports within three business days.

• Run npm audit locally before publishing.
• CI enforces high/critical audit gates and uploads coverage to Codecov.
• Skill packages should be validated (checksum, manifest review) before installation in sensitive environments.