If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue
2. Email the maintainers or use GitHub Security Advisories
3. Include a description of the vulnerability and steps to reproduce

We will acknowledge receipt within 48 hours and provide a fix timeline.

• All user-controlled values in SQL queries use parameterized queries (Drizzle sql tagged template)
• JSON path segments validated with assertSafeIdentifier to prevent injection via sql.raw
• No eval, no dynamic require, no user-controlled code execution