If you believe you have found a security vulnerability, please do not open a public GitHub issue.

• Preferred: Use GitHub Security Advisories (if enabled for this repo), or
• Alternative: Email the maintainers privately (e.g. via the contact listed in the repo profile or README).

Include:

• A short description of the issue
• Steps to reproduce (if possible)
• Impact (e.g. who can be affected, under what conditions)
• Any suggested fix or mitigation (optional)

We will acknowledge receipt and aim to respond within a reasonable time. We may ask for more detail or work with you on a fix before publishing an advisory or CVE.

• Fixes for security issues will be released in a patch or minor version and noted in CHANGELOG.md.
• For critical issues we may publish a security advisory and recommend upgrading immediately.

• Use environment variables (or a secrets manager) for signing keys, JWT secrets, and API keys in production — see docs/DEPLOYMENT.md and docs/FULL_SYSTEM_ANALYSIS.md.
• Run the server behind a reverse proxy for TLS (HTTPS) and avoid exposing it directly to the internet without authentication.