If you discover a security vulnerability, please report it responsibly by contacting the maintainers directly. Do not open a public issue.

This project follows strict secret management practices:

• Use .NET User Secrets for local development
• Never commit secrets to source control
• appsettings.Development.json is excluded via .gitignore

• Use Azure Key Vault for production secrets
• Use Managed Identity where possible
• Prefer certificate-based authentication over client secrets

• ❌ Do not hardcode secrets in appsettings.json
• ❌ Do not pass secrets via command-line arguments
• ❌ Do not log access tokens or secrets
• ❌ Do not commit .env files with real values