If you discover a security vulnerability in docx2pages, please report it responsibly:

1. Do not open a public issue
2. Email the maintainers directly (see package.json or commit history for contact)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• docx2pages processes untrusted DOCX files
• The parser uses Python's zipfile and defusedxml for secure XML parsing
• XML External Entity (XXE) attacks are blocked by defusedxml
• Control characters invalid in JSON are sanitized from text content
• Malformed DOCX files should fail gracefully, not crash or execute code

• The tool requires macOS Automation permissions for Pages
• It does not request or use any other system permissions
• Template files are copied, never modified in place

• A lock file is created at /tmp/docx2pages.lock
• This is world-readable but only affects this tool

• Large malformed files may cause high memory usage before failing
• Process timeout defaults to 120 seconds; very large documents may need --timeout adjustment