Please report suspected vulnerabilities privately through GitHub's security advisory flow for this repository. Do not open a public issue for security-sensitive reports.

Include:

• Affected package, version, or commit.
• Steps to reproduce or a minimal proof of concept.
• Impact, including whether report signatures, storage credentials, uploaded files, or user-submitted content may be exposed or bypassed.

We will acknowledge valid reports as soon as possible and coordinate a fix before public disclosure.