If you discover a security vulnerability in this project, please report it responsibly.

1. Do NOT open a public GitHub issue
2. Send an email to the maintainers with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment within 48 hours
• Regular updates on the fix progress
• Credit in the security advisory (unless you prefer anonymity)

This project is a client library. The following are considered in-scope:

• Credential exposure or leakage
• Authentication bypass
• Insecure data handling
• Dependency vulnerabilities

The following are out of scope:

• Issues in the Cocos Capital API itself (report to Cocos Capital)
• Denial of service attacks
• Social engineering

When using this library:

1. Never hardcode credentials - Use environment variables
2. Keep dependencies updated - Run uv sync regularly
3. Use HTTPS only - The library enforces this by default
4. Protect your TOTP secret - Treat it like a password

import os
from cocos_capital_client import CocosClient

# Recommended: Use environment variables
async with CocosClient(
    email=os.environ["COCOS_EMAIL"],
    password=os.environ["COCOS_PASSWORD"],
    totp_secret=os.environ["COCOS_TOTP_SECRET"],
) as client:
    ...

See README.md for more details.