The current per-component STRIDE threat model lives at docs/security/threat-model.md. It enumerates the production attack surface (SvelteKit frontend, Tauri shell, Go backend, nvms orchestrator, LLM providers, AWS, CI/CD pipeline) and the mitigations in place today. Review cadence: on every minor release, on any new external dependency, and quarterly at minimum.

Please report security vulnerabilities via GitHub Security Advisories:

• Open a private security advisory
• For sensitive issues, contact the repository owner directly

Latest main branch. Older versions are not supported.

We follow coordinated disclosure with reporters. Once an issue is patched, an advisory will be published.

Rust projects in this org enforce a zero-advisory floor via cargo-deny.yml workflow (Monday cron + on-demand).

Static analysis runs Tuesday weekly via codeql-rust.yml workflow.