This project currently supports the main branch.

If you discover a security issue:

1. Do not open a public issue with exploit details.
2. Contact the maintainer privately with:
   • vulnerability description
   • reproduction steps
   • impact assessment
   • suggested remediation (if available)
3. Allow time for a fix before public disclosure.

Never commit:

• API keys
• JWT secrets
• production DB credentials
• real .env files

Use:

• environment variables
• local-only config files
• .NET user secrets for local development

If a secret is exposed:

1. Rotate the secret immediately.
2. Remove it from repository history.
3. Invalidate any affected tokens/credentials.
4. Document the incident and preventive action.