If you believe you found a security issue in docs_rag_app, please avoid opening a public issue with exploit details.

Instead, use GitHub private vulnerability reporting for this repository:

https://github.com/nextframedev/docs_rag_app/security/advisories/new

If that path is unavailable, open a minimal public issue without exploit details and ask for a private follow-up channel.

Include:

• a short description of the issue
• affected files or surfaces
• reproduction steps
• expected impact

docs_rag_app is a local-first teaching project. Even so, a few areas are worth treating carefully:

• local file access
• API exposure on non-local networks
• model endpoint configuration
• evaluation-set path handling
• evaluation fixtures that may contain sensitive source text

When contributing, prefer:

• loopback-only local server examples
• explicit file paths
• no hidden network calls
• predictable JSON responses
• clear documentation when a feature changes local file or API behavior
• extra caution before binding the local web app to a non-loopback host