Do not open public GitHub issues for security vulnerabilities.

Use GitHub private vulnerability reporting for this repository when it is available. Include:

• a description of the vulnerability
• the affected version or commit
• reproduction steps or proof of concept
• impact assessment
• any suggested mitigation

If private vulnerability reporting is not available yet, do not publish the details in a public issue. Open a minimal issue asking for a private contact path and omit the vulnerability details.

We will aim to:

• acknowledge receipt promptly
• confirm whether the issue is in scope
• communicate remediation status as fixes progress
• coordinate disclosure timing when a fix is ready

This project is pre-1.0 and moving quickly. Security fixes, when available, are expected to land on the latest mainline version rather than through long-lived backport branches.