If you discover a security vulnerability, please report it responsibly:

1. Email: [email protected]
2. Do NOT open a public GitHub issue for security vulnerabilities
3. Include steps to reproduce the vulnerability
4. Allow 48 hours for initial response

This project is designed for zero-cloud, offline execution:

• ❌ No external API calls
• ❌ No data exfiltration
• ❌ No telemetry
• ✅ All inference runs locally via @qvac/sdk
• ✅ No secrets required (fully keyless)
• ✅ MIT licensed, fully open source

• TruffleHog: Scans for committed secrets
• npm audit: Dependency vulnerability scanning
• CodeQL: Static Application Security Testing (SAST)
• Dependabot: Automated dependency updates
• License checker: Ensures no GPL contamination