If you find a bug that can leak API keys, produce unsafe prompts, or corrupt scan output, report it privately before opening a public issue.

Include:

• the affected file or module
• the environment needed to reproduce it
• the observable impact on scan quality or operator safety