Problem
There is no SECURITY.md. The project handles API keys (see .env.template), runs untrusted user-supplied blueprints, and calls out to multiple LLM providers — but there is no documented way to privately report a vulnerability.
Proposed change
Add a root SECURITY.md covering:
- Supported versions / scope
- A private reporting channel (GitHub private vulnerability reporting and/or a security email)
- Expected response/triage timeline
- Guidance on what not to include in a public issue (secrets, PII, live keys)
Enable GitHub Private Vulnerability Reporting in repo settings so the "Report a vulnerability" button appears.
Acceptance criteria
Problem
There is no
SECURITY.md. The project handles API keys (see.env.template), runs untrusted user-supplied blueprints, and calls out to multiple LLM providers — but there is no documented way to privately report a vulnerability.Proposed change
Add a root
SECURITY.mdcovering:Enable GitHub Private Vulnerability Reporting in repo settings so the "Report a vulnerability" button appears.
Acceptance criteria
SECURITY.mdexists at repo root and is linked from the README