Security fixes land on the default branch and current release line.

Do not open a public issue for security bugs.

Use one of these instead:

• GitHub Security Advisory for this repository
• Direct contact with the maintainers through the private security channel

Include:

• affected version or commit
• impact
• reproduction steps
• any suggested mitigation

• prefer minimal, targeted fixes
• avoid adding new systems unless the fix requires them
• keep .dag/dotdog paths lean when changing agent behavior