This repository is provided as a starter template. The security guidance below helps template maintainers and downstream users set up a responsible disclosure and scanning workflow.

• Replace any example security contact emails (security@example.com) with a real address that you monitor (or use your organisation's vulnerability intake process).
• Configure CI steps to run security linters and scanners (Snyk, npm-audit, Dependabot alerts, or other SCA tools) as appropriate. Document these steps in README.md.
• If you use third-party services (analytics, error trackers, auth providers), document what's collected and how to opt out in your privacy policy.

• Licensing reminder: this template ships under BSD-3-Clause with an attribution to Kiya Rose (2025). When you redistribute or publish derived works, preserve that license and the attribution in source distributions as required by the BSD-3-Clause.

If you discover a security issue in this template or a deployment derived from it:

• Prefer a private disclosure: send an email to the project's security contact (replace security@example.com) or open a private issue if the hosting provider supports it.
• If no private channel exists, open a public issue marked with a short title like security: <short description> and then follow up with a redacted example and remediation steps.

If you want, I can add a sample .github/SECURITY.md template and a .env.example showing the config keys that need safe handling.