If you discover a security vulnerability in Valet Gateway, please report it responsibly:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email the maintainers with details of the vulnerability
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes (optional)

Valet Gateway handles API keys for multiple providers. Best practices:

• Never commit .env files - They are gitignored by default
• Use environment variables for all secrets
• Rotate keys regularly if you suspect exposure
• Use separate keys for development and production

• By default, Valet Gateway binds to 0.0.0.0 - ensure proper firewall rules
• Use HTTPS in production (via reverse proxy like nginx)
• PostgreSQL connections should use TLS in production

• Official Docker images are based on python:3.11-slim
• GPU access requires --gpus all flag
• Consider using read-only root filesystem where possible

Security updates will be released as patch versions (e.g., 0.0.2) and announced in the CHANGELOG.