Only the latest minor release is supported. Security fixes land on main and are shipped as a patch release on top of the most recent tag.

Please report suspected vulnerabilities privately to singaraiona@gmail.com rather than opening a public issue. Include:

• A short description of the issue and the affected component (CLI, MCP server, live UI, or the embedded Rayforce C runtime).
• Reproduction steps or a proof of concept.
• Your assessment of impact.

Expect an initial acknowledgement within 72 hours. If the report qualifies, we will coordinate a disclosure timeline with you, ship a fix on main, cut a tagged release, and credit you in the release notes (unless you prefer to remain anonymous).

For non-security bugs, please use the public issue tracker.