This project is currently an early open-source MVP. Security fixes should focus on:

• secret handling
• auth and access control regressions
• export or import integrity issues
• unsafe default behavior in the demo or server runtime

Please do not open public issues for suspected vulnerabilities.

Instead, report them privately to the maintainer once a dedicated contact channel is published. Until then, coordinate directly with the repository owner.

• Never commit API keys or access tokens.
• Use environment variables for third-party model providers.
• Rotate any credential that was ever exposed in chat, logs, screenshots, or commits.