Security Policy Do not post secrets/tokens in issues. Report vulnerabilities privately via security@yourdomain. Tokens should never appear in logs. Redaction is enforced in code and tests.