Please do not report security vulnerabilities through public GitHub issues.

To report a security vulnerability, please email the maintainers directly or use GitHub's private security advisory feature.

• Type of issue (e.g., injection, authentication bypass, data exposure)
• Full paths of affected source files
• Location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce
• Proof-of-concept or exploit code (if possible)
• Impact assessment

• The default registry is in-memory with no authentication. Production deployments should add authentication middleware.
• Restrict /register/provider and /register/offering endpoints to authorized clients.

• Validate the identity of federation nodes before enabling federation.
• Use TLS for all federation connections.
• Set appropriate ttl_hops limits to prevent federation loops.

• Discovery intents may contain sensitive information. Implement audit log retention policies.
• Do not log full intent text in production without appropriate access controls.

• All inputs are validated via Pydantic schemas.
• Implement rate limiting on /discover endpoints in production.