If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Use GitHub's private vulnerability reporting
3. Or email: security@libar.dev

We will acknowledge receipt within 48 hours and provide an initial assessment within 7 days.

This package runs as a dev tool (pre-commit hooks, CLI commands, doc generation). It processes local source files and does not make network requests. Supply chain integrity is maintained via npm provenance attestation on all published versions.