Do not commit API keys or provider credentials.

Use local .env, .env.local, or process environment variables. These files are gitignored.

Generated traces and rate-limit state are written to .apg/ by default. This directory is gitignored.

Trace storage redacts common secret-like fields before writing payloads, but applications should still avoid passing secrets in request metadata.

Until a public security contact exists, open a private advisory or contact the repository owner directly.

Please do not publish exploit details before maintainers have a chance to respond.