MVP stage; security fixes are applied to main.

Please open a private security advisory or email the maintainer. Do not file public issues for sensitive reports.

Automated updates via Dependabot; static analysis via CodeQL; optional container scan via Trivy in CI.