This repository is a public auth orchestration core. It intentionally excludes private provider implementations and private infrastructure credentials.

• Never commit tokens, cookies, device codes, or real recipient identifiers.
• Never use examples that require real internal credentials.
• Never ask users to paste secrets into chat as the default workflow.
• Keep browser handoff explicit when session transfer cannot be proven safe.

If you discover a security issue, do not open a public issue with exploit details. Contact the maintainer privately first and include:

• affected version
• impact
• reproduction steps
• proposed mitigation if available

• vulnerabilities in private companion providers
• bugs caused by operator pasting live secrets into demos against project guidance