Security reports are welcome for:

• the Python SDK and runtime in src/zcp
• transport and auth surfaces
• benchmark tooling when it can affect user environments

Please do not open public issues for unpatched vulnerabilities.

When reporting:

• describe the affected component and version or commit
• include reproduction steps
• include impact assessment when possible

Maintainers should acknowledge reports promptly and coordinate a fix before public disclosure.

This repository must not contain live provider API keys, OAuth client secrets, or production tokens. Examples and benchmark tooling are expected to read credentials from environment variables.