If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Email the maintainer directly (see GitHub profile)
3. Include a description of the vulnerability and steps to reproduce
4. Allow reasonable time for a fix before public disclosure

We aim to respond within 48 hours and release a fix within 7 days for critical issues.

This policy covers all @agentskit/* npm packages. Third-party adapters and example code are provided as-is.