If you find a security issue (key leakage, unsafe tool execution, prompt injection path, etc.), please do not open a public issue.

Share details privately with the project maintainer.

• Never commit .env files or secrets.
• Prefer environment variables for API keys.
• Treat any tool execution path as untrusted input.