The current 0.x line receives security fixes.

Open a private security advisory or contact the maintainers through the repository security channel. Do not include private raw logs, credentials, or proprietary benchmark data in public issues.

• Raw logs are referenced by digest and external location, not copied into the repository.
• The CLI performs no network access by default.
• Generated outputs belong in out/, which is ignored by git.
• .env, credentials, local databases, private traces, and data/private/ are ignored.
• CLI validation errors redact common secret-like patterns before printing.
• Fields tagged raw_generated are accepted only when this package has an implemented finite subcompiler for that field.

If a manifest contains private information, redact it before sharing. A certificate only needs replay hashes and the declared validation status of consumed fields.