If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Email the maintainers or use GitHub's private vulnerability reporting
3. Include steps to reproduce and potential impact

We will acknowledge receipt within 48 hours and provide a timeline for a fix.

Lore is a convention-based harness with no runtime server or network services. Security concerns are primarily:

• Hook scripts that execute on every tool use (potential for injection if hooks are modified)
• Shell scripts that parse file content (potential for command injection via crafted filenames or content)
• Docker configuration for the docs server (container isolation)