If you identify a potential security issue:

• Do not open a public issue with exploit details.
• Report it privately to the repository maintainers.

When reporting, include:

• Affected component/path
• Reproduction steps
• Impact assessment
• Suggested mitigation (if available)