If you discover a security vulnerability in safe-mini — particularly boundary escape, env-variable leak, or capability inversion — please report privately to justinleopard@gmail.com with subject [safe-mini Security].

We will acknowledge within 72 hours. Coordinated disclosure: we'll work with you on a fix and advisory before any details are shared broadly.

The substrate is the project's trust boundary. Findings that demonstrate the boundary doesn't hold are the highest priority class.