Please use GitHub Security Advisories for private reports:

• Report a vulnerability

Do not open public issues for suspected vulnerabilities.

• Destructive actions stay review-gated.
• Native/system commands remain capability-checked and test-covered.
• Policy, protection, and whitelist behavior must stay explicit and auditable.