This project is security-sensitive because it demonstrates governed execution, refusal-proof outcomes, receipt verification, impossibility artifacts, and append-only settlement verification.
Only tagged releases are considered supported for coordinated disclosure.
Please report vulnerabilities privately.
Do not open public issues for:
- unauthorized execution without admissibility
- forged ALLOW outcomes
- bypass of REFUSE or DEFER outcomes
- token replay or substitution
- receipt verification bypass
- canonicalization mismatch
- settlement tampering
- replay inconsistencies
Please include:
- affected version or commit
- reproduction steps
- expected behavior
- observed behavior
- impact
- whether unauthorized execution or forged verification is possible
Highest severity:
- execution without admissibility
- forged or unverifiable receipts
- bypass of governed refusal/defer behavior
- broken settlement-chain integrity
Good-faith research and responsible disclosure are welcome.