• API keys are stored in VS Code SecretStorage.
• Do not commit keys to source control or workspace files.

• Run npm audit regularly.
• Keep TypeScript, ESLint, and build dependencies updated.

• Run npm run release:local before producing VSIX artifacts.
• Run npm run marketplace:preflight:strict before public publish.
• Inspect VSIX contents using:

npx @vscode/vsce ls --tree

If you identify a vulnerability, report it privately to project maintainers and avoid public disclosure until mitigated.