This repository is currently in active Phase 0.5 development. The main branch is the supported branch for security fixes.

1. Do not open a public issue for suspected vulnerabilities.
2. Use GitHub's private vulnerability reporting for this repository: Security Advisories.
3. Include clear reproduction steps, impact, affected paths, and any proof-of-concept artifacts.

1. Initial acknowledgement: within 2 business days.
2. Triage and severity classification: within 5 business days.
3. Remediation or mitigation plan: as soon as triage is complete.

1. We follow coordinated disclosure.
2. Public disclosure happens only after a fix or acceptable mitigation is available.
3. Security regressions can block releases.

1. Provenance and policy bypasses are considered high severity.
2. Receipt or audit-chain tampering is considered high severity.
3. Secret material exposure outside approved boundaries is considered high severity.