Security Policy Do not commit secrets. Use environment variables. Report vulnerabilities via Issues marked "security" or email (replace with your contact). Rotating demo credentials: ensure .env.example documents required vars without secrets.