Do not open a public issue for a suspected vulnerability. Use the repository's private security advisory feature: https://github.com/rebel0789/open-agent-fabric/security/advisories/new.
Supported security boundaries are documented in docs/security/. External adapters are disabled by default. No production security guarantee is made for the development bootstrap.
A report should include affected version, reproduction, impact, environment, and suggested remediation. Maintainers should acknowledge within two business days and coordinate disclosure after a fix is available.