# Security Policy

## Supported Versions

| Version | Supported |
| --- | --- |
| Latest port workspace | Yes |

## Reporting A Vulnerability

Report security issues privately to the repository owner.

Do not include secrets, private credentials, server tokens, private modpack data, or production server data in public issues.

## Project Security Principles

- Keep secrets, tokens, `.env` files, certificates, private keys, and local server credentials out of the repository.
- Keep Minecraft run data, logs, local worlds, and generated build outputs out of version control.
- Document external dependency repositories in Gradle build files.
- Build release artifacts reproducibly with the Gradle Wrapper and Java 21.
- Run dependency review and release checks before publishing artifacts.

## Current Scope

The active mod changes Create Hose Pulley fluid-draining behavior through NeoForge configuration and mixins. Security review should focus on:

- unexpected file writes,
- unsafe external network calls,
- accidental inclusion of local worlds or logs,
- dependency and loader version drift,
- release artifact contents.