Please use a private disclosure channel for security reports. Do not use public trackers for security problems.

Include:

• A clear description of the issue and potential impact
• Steps to reproduce
• Any relevant configuration or environment details

The supported version is v1.0.0.

• High-risk tools are disabled by default and require explicit enablement.
• No request headers or bodies are logged by default.
• Outbound tools rely on allowlists and size limits to reduce abuse risk.