Please report suspected vulnerabilities privately to the maintainers.

Include:

• affected version/commit,
• reproduction input,
• observed behavior,
• expected safe behavior,
• impact assessment.

Do not open public issues with exploitable details before maintainers have time to triage and patch.

Security-relevant areas include:

• parser bounds safety,
• selector parser and matcher memory safety,
• mutation logic in in-place attribute/entity decode,
• external tool command invocation paths in tools/scripts.zig.

• Acknowledge receipt promptly.
• Triage and determine severity.
• Publish patch and changelog notes when resolved.