If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue.
2. Email the maintainer at the address listed in the repository profile, or use GitHub's private vulnerability reporting.
3. Include a description of the vulnerability, reproduction steps, and potential impact.
4. You will receive an acknowledgement within 72 hours.

ClickGraph runs security checks on every pull request and on a weekly schedule:

CI configuration: .github/workflows/security.yml

• Advisories: Known vulnerabilities are denied; exceptions are documented with rationale.
• Licenses: Only OSI-approved permissive licenses are allowed (MIT, Apache-2.0, BSD, ISC, etc.).
• Sources: Only crates from crates.io are permitted — unknown registries and git sources are denied.
• Duplicates: Multiple versions of the same crate trigger a warning.

The Go (clickgraph-go/) and Python (clickgraph-py/) binding packages have zero runtime dependencies — they are thin wrappers over the Rust FFI shared library. All security-sensitive code lives in the Rust crate and is covered by the auditing above.

If third-party dependencies are added to these packages in the future, the corresponding ecosystem auditing tools should be integrated:

• Go: govulncheck + Dependabot for Go modules
• Python: pip-audit + Dependabot for pip

• Read-only engine: ClickGraph translates Cypher to SQL SELECT queries only. Write operations (CREATE, SET, DELETE, MERGE) are not supported, limiting the attack surface.
• No credential storage: Database credentials are passed via environment variables at runtime, never persisted in configuration files.
• SQL injection mitigation: Query parameters are handled through the Cypher parser AST, not string interpolation. String literals in Cypher are escaped before embedding in generated SQL.