Please open a GitHub Security Advisory or private issue with:

• impacted component/path
• reproduction steps
• severity and potential blast radius

We will acknowledge within 72 hours.

• Least-privilege tokens and environment variables
• Branch protection and PR review on default branch
• Automated dependency and workflow updates
• Code scanning + secret scanning in CI