Please do NOT open a public GitHub issue for security vulnerabilities.

Use GitHub Security Advisories to report privately.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

You will receive a response within 48 hours. We follow responsible disclosure — we'll credit you in the release notes once the fix is published.

In scope:

• Authentication bypass
• SQL injection
• Prompt injection in the Guard module itself
• Privilege escalation
• Sensitive data exposure

Out of scope:

• Denial of service attacks
• Issues requiring physical access to the server