Report vulnerabilities privately to: security@yai.local (placeholder). Do not publish details before coordinated remediation.

1. Intake and initial triage
2. Reproduction and impact classification
3. Fix and validation
4. Coordinated disclosure with advisory/release notes

In scope:

• parsing/input handling in the CLI
• command boundary/authority bypasses
• dangerous mismatches between CLI behavior and specs contracts

No secrets, tokens, or credentials in this repository.