Do not file a public GitHub issue for security vulnerabilities.

Report via GitHub Security Advisories: https://github.com/ashlrai/ashlr-stack/security/advisories/new

We will acknowledge within 3 business days, triage within 7, and coordinate disclosure timing with you before any public release.

In scope: @ashlr/stack CLI, ashlr-stack-mcp MCP server, @ashlr/stack-core package, and any published npm packages in this repo.

Out of scope: Third-party provider APIs (Supabase, Vercel, etc.) and Phantom Secrets itself — report Phantom issues via Phantom's own disclosure channel.

We're glad to credit reporters in release notes. If you prefer anonymity, just say so in your report.