Report security issues privately before public disclosure.

• Do not open a public issue for an active security report.
• Include the affected header, compiler, platform, and a minimal reproducer.
• Do not attach fabricated logs or unverified exploit claims.