Please report security vulnerabilities privately to the maintainer (see AUTHORS.md for contact).

Do not open a public GitHub issue for an undisclosed security problem.

For dependency and supply-chain hygiene, use uv sync with the committed lockfile and keep the development baseline in CONTRIBUTING.md.