If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue.
2. Email thekcatsai@gmail.com with subject SECURITY: <repo> and a clear description.
3. Include reproduction steps and your contact info.

We acknowledge receipt within 72 hours and aim to provide a fix or mitigation timeline within 7 days.

The latest released version on main is supported. Older versions are not patched unless explicitly noted in CHANGELOG.md or release notes.

Responsible disclosure is appreciated. After a fix is released, the reporter will be publicly credited unless anonymity is requested.

In scope: source code in this repository, published packages (npm/PyPI), and configuration files. Out of scope: third-party dependencies (report upstream), social-engineering attacks, denial-of-service via legitimate API usage.