Security Policy Supported Versions Fixes land on main; backports are not guaranteed. UX/tooling tags (�1.1.0-ux, �1.0.2-tools) follow main when security fixes apply. Reporting a Vulnerability Do NOT open public issues for security reports. Preferred: use GitHub Security Advisories (Repo → Security → Report a vulnerability). Include (sanitized) details: Summary/impact and affected component(s) Repro steps or PoC (no sensitive data) Observed/expected behavior and severity Version/tag or commit SHA Checkbox reminder (reporters): I did not include secrets or production data in logs/attachments. Related References SECURITY_NOTES.md (additional guidance) README.md → Runtime guards (policy/guard context)