If you find a security issue, please do not open a public issue with exploit details, secrets, or private user data.

Use a private contact channel if one is listed on the repository or profile. If no private channel is available, open a minimal public issue that says a security concern exists, without sensitive details.

Please do not commit or post:

• API keys, service tokens, or .env values
• Firebase, Google Maps, Cloudinary, database, or JWT secrets
• Private location records, real user photos, or personal identifiers
• Release APK, AAB, database dump, or generated credential files