Security reports should target the currently published @guidemark/react npm package and the public documentation in this repository.

Please report suspected vulnerabilities privately through https://guidemark.dev/contact.

Include:

• affected package version
• reproduction steps
• expected and actual behavior
• whether the issue affects local development, production origins, or hosted license validation

Do not open a public GitHub issue for a vulnerability until it has been reviewed.

Guidemark browser license keys are site-bound public keys. They are expected to be visible in browser bundles and are validated against configured allowed origins.

Never place private credentials in browser-exposed environment variables. This includes API keys, admin tokens, Stripe secrets, webhook secrets, and database credentials.

The SDK sends the current origin, host, package name, and package version during hosted validation. It does not need your Stripe secrets, admin tokens, or private server credentials in the browser.