Mosvera includes public schemas, TypeScript and Python runtimes, a local MCP server, provider adapters, examples, and the public website.

Do not open a public GitHub issue for security vulnerabilities.

Use GitHub private vulnerability reporting on the affected repository when it is available. If you are unsure where to report, contact:

nic@niclydon.io

Please include the affected package or repository, version or commit SHA, steps to reproduce, impact, and your disclosure timeline.

Before Mosvera reaches 1.0, supported versions are the latest published 0.x packages and the default branch of each public repository.

In scope:

• Security-relevant schema or specification ambiguity.
• Runtime validation, resolution, persistence, or pack import vulnerabilities.
• MCP local file write, registry safety, or tool-surface issues.
• Provider adapters leaking secrets or mishandling credentials.
• Public website schema, pack, or download-surface issues.

Out of scope:

• Vulnerabilities in third-party provider APIs or SDKs.
• Issues requiring compromise of a contributor account or local machine.
• Valid compositions that are merely expensive to process.