The main branch is the active development line. Security fixes will be applied there. Releases, if any, will be called out in tags.

Please do not open public issues for suspected security problems. Instead:

• Email maintainer with details, steps to reproduce, and potential impact.
• If you can, include a minimal proof of concept.
• You can also submit a private advisory using GitHub Security Advisories.

We aim to acknowledge reports within 72 hours and provide an initial assessment or fix plan shortly after.

• Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue.
• Do not publicly disclose until a fix is available and users have had a reasonable time to update.