If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue.
2. Email security@ronsse.dev with a description of the vulnerability, steps to reproduce, and any relevant logs or screenshots.
3. You will receive an acknowledgment within 48 hours.
4. We aim to provide a fix or mitigation within 7 days for critical issues.

Security reports are welcome for:

• The core trellis library and all published packages (trellis_cli, trellis_api, trellis_sdk, trellis_workers)
• The MCP server (trellis-mcp)
• The REST API (trellis-api)
• CI/CD configuration and published container images

We follow coordinated disclosure. Once a fix is available, we will:

1. Release a patched version.
2. Publish a GitHub Security Advisory.
3. Credit the reporter (unless they prefer anonymity).