If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue.
2. Use GitHub's private vulnerability reporting.
3. Include a description of the vulnerability, steps to reproduce, and any potential impact.

You should receive a response within 7 days. We will work with you to understand and address the issue before any public disclosure.

Knit is a data generation tool. Security concerns include:

• Blueprint injection — Malicious blueprint files causing unintended behavior (e.g., path traversal in output paths).
• WASM plugin safety — WASM plugins loaded via --plugin run as trusted local code with no sandboxing or resource limits. Only load modules you trust.
• Dependency vulnerabilities — Issues in upstream crates that affect Knit.