Please do not file public issues for security problems.

Email security reports to hey+claude@ickas.xyz with:

• A description of the issue and its impact.
• Steps to reproduce.
• (Optional) a suggested fix.

You should receive an acknowledgement within 72 hours. Once the issue is fixed and released, the reporter will be credited in the release notes (unless they prefer to remain anonymous).

This project:

• Reads PLAUSIBLE_API_KEY from the environment and uses it only as a bearer token against the Plausible endpoint configured via PLAUSIBLE_BASE_URL (default https://plausible.io).
• Does not log the API key or the request bodies.
• Does not make network calls to any other host.

If you spot behaviour that contradicts any of the above, please treat it as a security issue.

This is a single-branch project. Fixes land on main. Prior tagged releases are not backported unless the fix is trivial and the release is recent.