Vulnerability disclosure

Report suspected security issues to security@sfagent.dev.

Include a clear description of the issue, reproduction steps, affected URL or route, impact assessment, and any logs or screenshots needed to verify the report. Do not include plaintext customer secrets unless they are required to demonstrate impact.

We ask reporters to avoid public disclosure until the issue has been triaged and a remediation plan is in place. Good-faith testing that avoids customer impact, privacy violations, or service disruption is welcome.