Please do not open public issues for security vulnerabilities.

Report vulnerabilities privately to maintainers with:

• affected endpoint/file
• impact description
• reproduction steps
• suggested remediation (if available)

• Never commit .env files or service-account JSON credentials.
• Rotate credentials immediately if exposure is suspected.
• Use immutable Cognito sub IDs for authorization decisions.
• Restrict CORS origins and keep API keys out of client bundles.