We take security seriously. If you discover a security vulnerability in PocketFlow-Zig, please report it responsibly.

1. Do not open a public GitHub issue for security vulnerabilities
2. Email the maintainers directly or use GitHub's private vulnerability reporting feature
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes (optional)

• Acknowledgment within 48 hours
• Status update within 7 days
• Credit in the security advisory (unless you prefer anonymity)

This policy applies to:

• The core PocketFlow-Zig library (src/)
• The Ollama client integration
• Build system and examples

When using PocketFlow-Zig:

1. Memory Safety: The library uses Zig's explicit memory management. Ensure proper cleanup of nodes, flows, and contexts to prevent leaks.

2. Thread Safety: The Context type uses mutex protection, but node implementations must handle their own thread safety if accessing external resources.

3. Ollama Integration: When using the Ollama client:

   • Validate and sanitize prompts before sending to the LLM
   • Be aware that Ollama runs locally; ensure your Ollama instance is properly secured
   • Do not expose the Ollama endpoint to untrusted networks

4. Input Validation: Node implementations should validate inputs from the Context to prevent unexpected behavior.

Security fixes are released as patch versions and documented in the CHANGELOG.md file.