Security

Reporting vulnerabilities

Please do not open public issues for undisclosed security vulnerabilities.

Preferred: use GitHub Security advisories for a private report.

Full policy: SECURITY.md on GitHub (supported versions, secret handling, coordinated disclosure expectations).

Guidelines (summary)

• Never commit secrets; use environment variables or a secret manager.
• Provider YAML uses api_key_env to name variables—never embed key material.
• Configuration is loaded with yaml.safe_load only.

Next

• Contributing
• Code of Conduct