If you discover a security vulnerability in this project, please report it through GitHub Security Advisories.

Do not open a public issue for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours of report submission
• Assessment: Within 1 week
• Fix: Depends on severity; critical issues prioritized

• Dependency vulnerabilities (outdated packages with known CVEs)
• Environment variable exposure (e.g., .env files committed to version control)
• Input validation issues in tool parameters
• Logging of sensitive data to stderr

All upstream APIs used by this server are public and require no authentication tokens:

• Scryfall (public API and bulk data downloads, requires only User-Agent header)
• Commander Spellbook (public API)
• 17Lands (public data endpoints)
• EDHREC (public JSON endpoints)
• Comprehensive Rules (public file download from Wizards of the Coast)

There are no API keys, OAuth tokens, or credentials stored or transmitted by this server.

This project uses pip-audit to check for known vulnerabilities in dependencies. Run it locally (requires dev dependencies, installed by default with uv sync):

uv run pip-audit