If you find a security issue, please do not open a public issue first.

Instead, report it privately to the maintainers with:

• A clear description of the issue
• Impact assessment
• Reproduction steps or proof of concept
• Suggested mitigation (if available)

We will acknowledge receipt as soon as possible and work on a fix.

Security-sensitive areas include:

• Pairing/authentication token handling
• Local storage of chat/session metadata
• WebSocket protocol handling and validation