Please report security issues privately to hi@cumulush.com.

Do not open public issues for suspected credential exposure, auth bypasses, or data leaks.

Rune is bring-your-own-key. Production model calls must use user-owned secrets stored through the app or through a self-hosted secret provider. The repository must not contain real API keys, private keys, passwords, service-role keys, or generated build output.