Security issues should be reported privately.

Use GitHub's Report a vulnerability flow for this repository when it is available. If that is unavailable, contact the maintainers privately before publishing details.

Please include:

• affected version, commit, or deployment mode,
• a clear reproduction path,
• expected and observed behavior,
• impact, especially for workspace isolation, authentication, secret handling, integration credentials, agent tool access, or internal web/worker routes.

Do not include live secrets, customer data, private tokens, or exploit details in public issues.

Security fixes target main and the latest published CLI release unless a specific release branch is announced.