Please report vulnerabilities privately to the maintainers via your standard security contact channel.
Do not open public issues for suspected secret exposure or exploit details.
In scope:
- CLI auth/profile handling
- request signing and header behavior
- local policy and audit log behavior
Out of scope:
- user-managed API keys compromised outside this repository
- third-party service outages