Please report vulnerabilities privately through the repository security advisory feature if available, or by contacting the maintainers through the private channel listed on the repository.

Do not open public issues for exploitable vulnerabilities, leaked secrets, authentication bypasses, SSRF, SQL injection, or denial-of-service vectors.

Security fixes target the default branch unless a release branch policy is added later.

• Rotate all secrets before production use.
• Keep service databases and caches on private networks.
• Treat API keys, JWTs, Stripe keys, upstream auth tokens, object-storage credentials, and webhook signing secrets as sensitive.
• /metrics is protected by X-Admin-Secret when HML_API__ADMIN_SECRET is configured; without an admin secret, metrics are disabled.