# Security

AITuner launches local or remote serving engines and may replay trace payloads.
Do not commit secrets, API keys, private trace content, or private model access
tokens.

## Reporting

Report security issues privately to the project maintainers. If this repository
is mirrored to a public forge, use that forge's private vulnerability reporting
flow when available.

## Operational Guidance

- Keep `.env` files local; `.env.example` documents expected variable names.
- Review generated trial artifacts before publishing them, because request
  payloads may contain trace text.
- Treat remote execution configs as sensitive when they include internal host
  names, paths, or scheduler details.