Please report security issues privately, not in public issues or pull requests.

• Preferred: open a private report via the repository's Security → Report a vulnerability tab (GitHub private vulnerability reporting).
• Include: a description, reproduction steps, affected files, and the impact you observed.

You will get an acknowledgement as soon as practical. This is a small research-only project maintained on a best-effort basis; please allow reasonable time for a fix before any public disclosure.

Because this lab is intentionally non-operational, the most valuable reports are about the safety boundary itself, for example:

• a way that a credential-shaped value could be committed without the secret scan catching it;
• a tracked file that introduces a trade-execution or position-mutation surface the safety-surface scan does not detect;
• a path by which the pipeline could write a model/data/binary artifact into version control;
• any code path that could turn the dry-run signal flow into something that could act on a broker.

• Never commit secrets. .env, config.ini, tokens, keys, account identifiers, and local credentialed paths are git-ignored and must stay out of version control.
• The only credential-shaped strings in this repo are placeholders in .env.example / config.example.ini and detection patterns in scripts/scan_secrets.py.
• Run python scripts/scan_secrets.py before every commit. CI additionally runs a full-history secret scan (gitleaks) on every push and pull request.

This project has no live-trading capability, and that is enforced, not just documented:

• There is no order-placement and no position-mutation code in any tracked source. scripts/scan_safety_surface.py defines the forbidden surfaces in one place and fails closed if any appear elsewhere.
• The signal bridge operates in dry-run mode only and refuses any other mode.
• The MQL5 component is a logging-only skeleton: it reads a dry-run research annotation and prints it. It cannot open, modify, or close anything.
• tests/test_no_trade_surfaces.py and tests/test_no_live_trading.py make these properties part of the merge gate.

If you believe any of these guarantees can be bypassed, that is exactly the kind of report we want.