• Please report vulnerabilities privately via GitHub Security Advisories or email: zak@zaigood.com.
• Do not open public issues for sensitive reports.
• We aim to respond within 3 business days.

Scope: bin/, src/, and release artifacts. Do not test production npm tokens or secrets.