Do not open a public issue. Use GitHub's private vulnerability reporting feature instead.

Include a description, reproduction steps, and potential impact.

• No secrets in code — Azure Key Vault (prod), User Secrets (dev)
• Microsoft Entra ID authentication on all protected endpoints
• FluentValidation on all API inputs
• Entity Framework Core parameterized queries (no raw SQL concatenation)
• HTTPS enforced in all environments