Please do not report security issues in public GitHub issues.

If you find a vulnerability, contact the maintainer privately with:

• affected version/commit,
• reproduction steps,
• impact,
• suggested mitigation if available.

• Ticket URLs are bearer links. Anyone with a ticket URL can edit that ticket.
• Do not commit .env files or real API keys.
• Run production deployments with ENVIRONMENT=production, explicit TRUSTED_HOSTS, explicit ALLOWED_ORIGINS, and a strong SECRET_KEY.