Security fixes are applied to the latest main branch and most recent release line. Older versions may not receive patches.

Please do not open public issues for suspected vulnerabilities.

Report privately with:

• Affected version/commit
• Reproduction steps or proof-of-concept
• Impact assessment (confidentiality/integrity/availability)
• Any known mitigations

Contact: open a private security advisory in this repository, or email the maintainers if advisory access is unavailable.

After confirmation:

1. Maintainers acknowledge receipt and start triage.
2. A fix is developed and validated.
3. A coordinated disclosure timeline is agreed when practical.
4. A patch release and advisory are published.

• Never include secrets/tokens/session blobs in reports.
• Minimize test data to non-sensitive samples.
• Respect privacy boundaries for bridged chat content.