If you find a security issue in Faultline, avoid opening a public issue first if the report would disclose an active vulnerability, credential, or sensitive supply-chain weakness.

Use GitHub private vulnerability reporting when it is available for this repository. If private reporting is not enabled, contact the maintainer privately before publishing details.

Relevant reports include:

• credential or token disclosure in tracked fixtures, examples, or release artifacts
• vulnerabilities in release, packaging, or update workflows
• issues that could cause Faultline to expose local repository data unexpectedly

Please include a minimal reproduction, affected files or commands, impact, and any suggested mitigation.