Please report suspected vulnerabilities privately through GitHub security advisories for this repository.

Do not open public issues for credential handling, webhook signature bypass, payment reconciliation, or checkout redirect vulnerabilities.

The main branch receives security fixes until tagged releases are available.

• MakePay key secrets must remain server-side.
• Webhook events must be verified before changing payment state.
• Drupal Commerce payments should be reconciled through payment entities, not direct order state changes.