Please do not open public issues for sensitive vulnerabilities.

Report security issues privately to the maintainers with:

• affected component(s)
• reproduction steps
• impact assessment
• suggested mitigation (optional)

If the issue involves leaked credentials:

1. revoke the credential immediately
2. rotate keys/secrets
3. update deployment environments

• Never commit provider API keys or access tokens
• Use deployment environment variables (Render/Vercel/local .env)
• Treat screenshots and logs as sensitive if they contain request headers or tokens

Provider adapters must:

• avoid logging raw credentials
• classify auth/quota/rate-limit failures
• return actionable errors without leaking secrets