Axelate is in active early development. Security fixes are made on nightly first and released through main when a tagged release is prepared.

Do not open a public issue for a suspected vulnerability.

Use GitHub private vulnerability reporting when available, or contact the repository owner through GitHub with enough detail to reproduce and assess the issue.

Include:

• affected version or commit
• operating system version
• reproduction steps
• expected impact
• relevant logs, screenshots, or proof-of-concept details

The repository uses GitHub secret scanning, push protection, Dependabot alerts, and Dependabot security updates.

Additional repository security automation:

• CodeQL scans TypeScript/JavaScript and Rust on protected branch pushes, weekly schedule, and manual dispatch.
• Dependency Review runs on pull requests targeting main and nightly when npm or Cargo dependency files change.
• Scheduled Security Audit runs npm audit --audit-level=high and cargo audit.
• CodeRabbit is configured to review security-sensitive Rust/Tauri, TypeScript, workflow, and resource changes.

Release tags must match project versions and point to commits reachable from main. Tags matching v* are protected against deletion and non-fast-forward updates.