Security issues should be reported privately until the repository publishes a stable disclosure workflow.
- Do not open public issues for exploitable vulnerabilities.
- Provide a minimal reproduction, affected surface, and impact estimate.
- Include whether the issue affects AO, SO, shared contracts, or packaging.
Until a dedicated mailbox is published, security handling details are maintained in docs/en/governance/policies/security.md.