This project follows a rolling-release model. Only the latest published release of @code-first-agents/tool on npm receives security fixes. Please upgrade to the most recent version before reporting a vulnerability.

Please do not report security vulnerabilities through public GitHub issues.

The preferred channel is GitHub's private vulnerability reporting:

1. Go to the Security tab of this repository.
2. Click Report a vulnerability and fill in the advisory form.

This keeps the report private and links it directly to a draft security advisory.

If you are unable to use private vulnerability reporting, email beogip@gmail.com instead.

When reporting, please include:

• A description of the vulnerability and its impact.
• Steps to reproduce (a minimal proof of concept is ideal).
• The affected version and your environment (runtime, OS).

You can expect an initial acknowledgement within a few days. Because this project is maintained in spare time, response and fix timelines are best-effort. Coordinated disclosure is appreciated — please give the maintainer a reasonable window to ship a fix before any public disclosure.