Do not open public GitHub issues for security vulnerabilities.

Email security@heir.es with:

• Description of the issue and impact
• Steps to reproduce
• Affected components (frontend, server/, MCP, etc.)
• Suggested fix (optional)

We aim to acknowledge reports within 3 business days and provide a remediation timeline within 90 days for confirmed issues.

• Never commit .env files, private keys, or API secrets
• Use .env.example as the only committed env template
• Run npm audit before submitting pull requests
• Test contract generation on testnets only

If you are preparing a public release from a private fork, complete docs/open-source/CREDENTIAL_ROTATION_CHECKLIST.md before publishing.