Please report vulnerabilities privately via GitHub private vulnerability reporting — do not open a public issue. You should get a first response within a week.

Only the latest release receives security fixes.

• Release binaries are built by GitHub Actions from a v* tag, with build provenance attestations. Verify a download with:

  gh attestation verify batchkoi_*.tar.gz --repo tawAsh1/batchkoi

• All workflow actions are pinned to full commit SHAs; dependency updates go through Dependabot with a 7-day cooldown.