Only the latest commit on the default branch receives security fixes during the alpha phase.

Do not open a public issue for a vulnerability. Use GitHub private vulnerability reporting for the repository. Include the affected component, reproduction, impact, and any suggested mitigation. Do not include PHI, credentials, private keys, or data from systems you do not own or have permission to test.

This repository is a reference implementation. Its API-key authentication, in-memory persistence, experimental privacy mechanism, and contracts are not a production security architecture. See docs/THREAT_MODEL.md.