Please do not disclose security issues publicly before a fix is available.

• Report privately via GitHub Security Advisories or email the maintainers.
• Provide a minimal reproduction, impact assessment, and affected versions if known.
• We will acknowledge receipt within 72 hours and provide a remediation plan once triaged.

Security fixes are generally provided for the latest released version on PyPI.

This policy covers the code in this repository. Third-party dependencies should be reported to their respective projects.