If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue.
2. Email heznpc@gmail.com or use GitHub Security Advisories.
3. Include steps to reproduce, impact assessment, and suggested fix if possible.

We will respond within 48 hours and work with you to resolve the issue.

This template includes automated security checks in CI:

• Dependency audit — npm audit on every push (HIGH/CRITICAL threshold)
• Secret leak detection — gitleaks scans every commit
• Dependency updates — Dependabot monitors for vulnerable dependencies
• Permission audit — CI warns on risky browser permissions (debugger, cookies, <all_urls>)
• Manifest validation — Verifies MV3 compliance on every push

• Never commit .env files or secrets — they are gitignored by default
• Use GitHub Secrets for deployment credentials
• Keep dependencies up to date by merging Dependabot PRs