Report security issues to jess@sulliwood.org. Do not open public issues for security vulnerabilities.

Only the latest commit on the default branch receives security updates.

• Secrets encrypted with sops-nix (age keys)
• TruffleHog + Gitleaks scanning on every push
• Preseed scripts use secure deletion for boot partition secrets
• Serial consoles secured via Tailscale network boundary (ADR-002)
• SSH key-only authentication (no passwords)