Security hardening.
- Jinja2 templating uses a sandboxed environment, preventing SSTI/RCE via render_string (CWE-94/1336)
- All HTTP backends validate subject/sender/recipients and custom headers for CRLF/NUL (CWE-93)
- SNS notifications verify the message RSA signature against the AWS signing certificate (CWE-345)
- Secret config fields excluded from dataclass repr (CWE-532)
- validate_certs=False emits a warning before disabling TLS verification
- Provider error response bodies truncated in debug logs (CWE-532)