- Security‑first: crypto and auth changes require review.
- Keep secrets out of the repo; use
.envfor local overrides. - Prefer open‑source, well‑maintained dependencies.
- Ensure code compiles and tests pass before PRs.
- Run formatter and lints where available.
Please do not open public issues for vulnerabilities. Contact the maintainers privately with details for responsible disclosure.