Security updates are provided for the latest main branch.

Please do not open a public issue for security vulnerabilities.

Instead, report privately with:

• vulnerability summary
• impact assessment
• reproduction steps
• proof of concept (if available)
• affected commit/version

1. Acknowledge report within 72 hours.
2. Validate and triage severity.
3. Prepare and test a fix.
4. Coordinate disclosure timing with reporter.
5. Publish advisory/changelog note after patch release.

• Secrets accidentally committed to history are treated as critical.
• Dependency vulnerabilities are triaged by exploitability in this project context.
• Development-only tooling vulnerabilities may be accepted temporarily with documented rationale.

• Never commit API keys, tokens, passwords, .env, or local DB files.
• Use least-privilege credentials in local testing.
• Keep dependencies pinned via lockfile and prefer npm ci.