If you believe you have found a security vulnerability, do not open a public issue.

Please report details privately with:

• Description of the issue
• Reproduction steps
• Impact assessment
• Any relevant logs or screenshots (redact secrets)

• This project can be configured for live trading (PAPER_MODE=false). Keep secrets out of source control.
• This project uses a signer abstraction; prefer keystore-based signing over raw private keys.
• For live trading deployments, review docs/THREAT_MODEL.md and follow least-privilege patterns.

• See .github/secret-scanning.md for recommended GitHub settings and local hygiene.