Security fixes are provided for:

• the latest published PyPI release in the 1.x line
• the current main branch before the next public release

Older tags, prerelease milestones, and abandoned branches may not receive security updates.

Please do not open a public GitHub issue for suspected vulnerabilities.

Instead, report security issues by emailing blaise@buenaola.io with:

• a clear description of the issue
• affected version, commit, or deployment context
• reproduction steps or a proof of concept if available
• any suggested mitigation or timeline constraints

I will acknowledge receipt as quickly as possible, validate the report, and work with you on a coordinated disclosure timeline before any public write-up.