Do not open a public GitHub issue for security vulnerabilities.

Report privately using one of these:

1. GitHub Security Advisories (preferred)
2. Contact the maintainer through their GitHub profile

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact (e.g. credential leak, arbitrary code execution)
• Suggested fix or mitigation, if you have one

In scope:

• The tooltrim npm package and CLI
• This repository's source code
• Default configuration and documented deployment patterns

Out of scope:

• Vulnerabilities in upstream MCP servers you connect via config
• Misconfiguration of secrets in user-owned tooltrim.config.yaml files
• Issues in third-party dependencies (report those to the upstream project; we will bump deps when fixes are available)

Thank you for helping keep Tooltrim and its users safe.