Responsible Disclosure

If you believe you found a vulnerability:

1. Do not publish exploit details publicly.
2. Use a private reporting channel if available (GitHub private security reporting), or open a GitHub issue without sensitive details and request a private follow-up.

Please include: - affected component (docs/spec/implementation, if known) - minimal reproduction steps - expected impact - suggested mitigation (if any)

We aim to acknowledge credible reports and coordinate a fix before public disclosure.

Do not share secrets

Never include private keys, seed phrases, privileged configs, or operational signer details in reports.