If you discover a security vulnerability in this project, please report it responsibly. Do not open a public issue.

Contact: security@mentp.com

We will acknowledge receipt within 48 hours and provide a detailed response within 5 business days.

• All credentials are stored in environment variables, never in source code.
• Branch protection is enabled on main with required reviews.
• HTTPS is enforced in production with HSTS.
• CSRF, XSS, and clickjacking protections are enabled.
• JWT tokens are used for API authentication with short expiry.
• Database connections use SSL in production.
• GitHub Actions workflows use least-privilege permissions.