We will move to a stable v1 once the public API has been used in production by at least three independent integrators. Until then, breaking changes can land in minors with notice in the changelog.

Please do not open a public GitHub issue for security reports.

Instead, email security@learnkit-ai.com with:

1. A description of the vulnerability
2. Steps to reproduce
3. The affected package and version
4. Any suggested fix or mitigation

We will acknowledge receipt within 48 hours and aim to publish a fix or mitigation within 14 days for high-severity issues. We will credit reporters by name (or pseudonym) in the release notes unless asked to keep the report anonymous.

In scope:

• The published packages: @learnkit-ai/schemas, @learnkit-ai/core, @learnkit-ai/react
• The marketing site at learnkit-ai.com
• Build/release tooling that affects supply-chain integrity

Out of scope:

• Self-hosted forks
• Issues that require physical access to a user's machine
• Social engineering of community members

We follow standard responsible-disclosure practices. We ask that you give us a reasonable window to fix the issue before public disclosure. We will keep you informed of progress and will not threaten or pursue legal action against good-faith security researchers.