Do not submit real secrets, proprietary prompts, customer data, or executable payloads as fixtures.

Report vulnerabilities through GitHub private vulnerability reporting. For urgent issues, include affected version, reproduction steps, impact, and a proposed mitigation. Do not open a public issue before coordinated disclosure.

The evaluator, shared-contract validator, tests, benchmarks, and release generator perform no network calls and execute no fixture content.