Please do not report a vulnerability by opening a public issue when it could expose personal data or credentials. Use GitHub's private vulnerability reporting feature for this repository.

The primary safety boundary is architectural: a live personal vault is not a Git repository, and publication uses an explicit allowlist into a separate checkout. Treat any path-bypass, unintended-file export, credential exposure, or publication of personal content as a security issue.

Before reporting, remove personal material from screenshots, logs, examples, and reproduction cases.