If you discover a security vulnerability, please disclose it privately to the maintainers by opening a private issue or emailing the maintainers (create an issue labeled security and add PRIVATE to the title). Avoid public disclosure until a fix or mitigation is available.

We will respond to reports within a reasonable timeframe and coordinate disclosure.

For general guidance, do not commit secrets, API keys, or private model weights into the repository. Use an external storage mechanism and provide instructions for obtaining large assets when needed.