Do not report security vulnerabilities through public GitLab issues.

Instead, please report them via email to: security@jewell.dev

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

You will receive a response within 48 hours. If confirmed, we will:

1. Acknowledge the report
2. Work on a fix
3. Release a patch
4. Credit you (unless you prefer anonymity)

• Ada 2022 with SPARK subset for memory safety
• No pointer arithmetic
• Strong type checking at compile time

• Minimal dependency tree
• All dependencies audited
• Nix for reproducible builds

• API keys never logged or stored in plaintext
• Local-first architecture minimises data transmission
• No telemetry without explicit consent

Vexometer processes potentially sensitive:

• User prompts
• Model responses
• API credentials

We assume:

• Local execution is trusted
• Remote APIs may be compromised
• Pattern databases may be manipulated

Mitigations are documented in docs/SPECIFICATION.md.