Please open a GitHub Security Advisory rather than a public issue. We aim to respond within 72 hours and issue a patch within 14 days for confirmed vulnerabilities.

See docs/security-threat-model.md for the full analysis. Key notes for contributors:

• The gesture engine processes only normalised contact coordinates. Raw sensor data must be sanitised by the platform adapter before reaching GestureEngine.
• Archive IDs are uint32_t opaque identifiers; they must not be used directly as file-system paths or database keys without additional validation.
• The vehicle HMI integration (integrations/in-vehicle-hmi/DrivingModeGate) enforces safety-critical state gating — do not bypass it.