Do not open a public issue for security vulnerabilities.

1. Preferred: Open a private security advisory in this repository (if you have access).
2. Alternatively: Use the Security Incident issue template and set severity; we will treat it confidentially. You can also contact the maintainer directly.

We will acknowledge receipt and aim to respond within a reasonable time. For accepted issues we will coordinate disclosure and credit as appropriate.

• Secrets: No API keys or tokens in the repo. Use the system keyring; see keyring-keys-reference.
• CI: Gitleaks, Bandit, pip-audit, Semgrep, CodeQL run on push/PR.
• Dependencies: Dependabot and weekly security workflow. Known exceptions and accepted risks are documented in security-decision-log and security-and-dependencies.