Do not open public issues for security reports.

Email security reports to:

security@tryoz.dev

Include:

• affected version
• operating system
• impacted agent
• reproduction steps
• expected impact

In scope:

• CLI config-writing behavior
• API key handling in generated MCP config
• accidental disclosure of local paths, prompts, file contents, or keys
• hosted MCP endpoint authentication issues

Out of scope:

• third-party agent behavior outside Oz-owned config
• issues caused by manually edited local config
• indexed third-party documentation accuracy reports

For documentation quality issues, open a normal GitHub issue.