This policy covers the code in this repository and the maintained deployment paths described in the operator docs.

If you discover a security issue, please report it privately:

1. Do not open a public issue for an unpatched vulnerability.
2. Use GitHub Security Advisories if they are enabled for this repository.
3. Otherwise, contact the repository owner directly through a private channel.

• Never commit .env or API keys.
• Keep local runtime secrets in ignored files such as .env or host-level secret paths.
• Rotate credentials immediately if exposure is suspected.

Please allow reasonable time to validate and remediate the issue before any public disclosure.