402-mcp handles real money — security is a first-class concern.
For details on spend safety, SSRF protection, credential encryption, transport hardening, and input validation, see docs/security.md.
If you find a security issue, please report it privately via GitHub Security Advisories.