Security fixes are applied to the latest main branch.

Please do not open public issues for vulnerabilities.

Report privately with:

• A clear description of the issue
• Reproduction steps
• Impact assessment
• Suggested remediation (if available)

Until a dedicated security email is added, report through a private channel and avoid posting secrets, tokens, or exploit details publicly.

• Never commit .env files
• Rotate compromised tokens immediately
• Scope bot/API tokens to minimum required permissions