If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Email security concerns to: security@finna.ai
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes

We will respond within 48 hours and work with you to understand and address the issue.

This project implements several security measures:

• Automated security scanning via CodeQL on every PR
• Dependency auditing via pnpm audit
• Secret detection via TruffleHog
• Dependency review blocking high-severity vulnerabilities
• License compliance denying GPL-3.0 and AGPL-3.0 dependencies

When contributing, please follow these security guidelines:

• Never commit API keys, tokens, or passwords
• Use environment variables for sensitive configuration
• Validate and sanitize all user input
• Follow the principle of least privilege for tool permissions
• Keep dependencies up to date