The repository is in active bootstrap. Security fixes will be applied to the latest main branch first.
Until a dedicated security mailbox is created, please avoid filing public issues for vulnerabilities involving:
- secrets or tokens
- remote code execution
- unsafe model loading or artifact execution
- privilege escalation
- data exposure
Instead, open a private GitHub security advisory if repository settings allow it, or contact the maintainer directly through the private channel referenced by the repository owner.
- Never commit credentials, Hugging Face tokens, or API secrets.
- Treat downloaded models and third-party artifacts as untrusted until verified.
- Keep runtime caches, model shards, and logs out of version control.
- Prefer pinned dependencies and explicit updates over unbounded upgrades.