Please do not open a public GitHub issue for suspected vulnerabilities.

Instead, report security issues privately to the project maintainers through the security contact configured for the repository or the maintainers' preferred private reporting channel.

When reporting, include:

• a short description of the issue
• the affected area or file path
• reproduction steps if available
• impact assessment
• any suggested mitigation

Security-sensitive areas in Doctorial include:

• model API key handling
• local filesystem writes and bundle downloads
• framework artifact generation
• parsing of remote documentation sources
• command-line handling of local and remote documentation inputs

• Keep credentials in .env or your shell environment.
• Do not commit .env, generated secrets, or screenshots containing live credentials.
• Rotate any credential that has been exposed in logs, screenshots, or shell history.