# Security Policy

## Supported surfaces

Security fixes are currently handled on the active `main` branch and released in the next practical app or package version.

## Reporting a vulnerability

Please do **not** open a public GitHub issue for a suspected vulnerability.

Instead, report privately via:

- GitHub security advisory / private vulnerability report on this repository, or
- email the maintainer at `keithbatterham@pm.me`

Please include:

- affected version or commit
- reproduction steps
- impact assessment
- any proposed mitigation if you have one

## Response expectations

The project aims to:

- acknowledge reports promptly
- validate and triage credible issues
- fix confirmed vulnerabilities in the next practical release window
- document material security fixes in release notes or changelogs where appropriate

## Supply-chain notes

This project publishes the npm package from GitHub Actions with npm provenance enabled, and package source remains public in this repository.