GitHub private vulnerability reporting is the canonical path for this repository.
If you discover a security issue, report it there first. Do not open a public issue or pull request for security-sensitive findings.
For runtime posture, secret-handling patterns, and localhost-first deployment guidance, also see docs/SECURITY.md.
This root file is the community reporting surface; the deeper runtime guidance stays there.
- accidental secret leakage
- credentials, tokens, or private keys
- unsafe examples that expose real infrastructure
- private operational URLs or internal-only file paths
- sensitive logs, rendered config output, or other secret-bearing artifacts
- a vulnerability that could materially affect users or maintainers
Public issues and pull requests are not appropriate for:
- secret exposure
- credential leaks
- infrastructure-sensitive disclosures
- unredacted logs or config output
- exploit details before maintainers have had time to assess the report
All contributed material must be:
- sanitized
- generalized where needed
- free of secrets
- safe for public reuse