Report security issues privately using GitHub Security Advisories instead of opening a public issue.
Include:
- affected version
- reproduction steps
- impact
- suggested mitigation if known
Security-sensitive areas include:
- manifest input validation
- file output handling
- runtime inspection surfaces
- protocol parsing
- sanitization behavior
This project aims to be safe for agent-facing usage, which means:
- rejecting unsafe control characters where practical
- refusing unsafe write paths
- preserving machine-readable error behavior
Please report bypasses or unsafe edge cases.