# Security Policy

## Supported Versions

| Version | Supported |
| --- | --- |
| Latest `main` | Yes |

## Reporting A Vulnerability

Report security issues privately to the project owner.

Do not include secrets, production data, private repository URLs, or credentials in public issues.

## Project Security Principles

- Keep secrets out of the repository.
- Prefer local processing for user data.
- Document external network calls.
- Keep release artifacts reproducible through CI.
- Run dependency and workflow checks before releases.
- Connected Library v1 must use public HTTPS manifest and `.mrpack` URLs only.