This is a template for academic research workflows. It ships hooks that execute locally (.claude/hooks/*.py, .githooks/pre-commit), skills that drive autonomous review loops, and guidance for handling restricted/confidential data — so security reports are taken seriously even though the repo contains no service or secrets itself.

• Preferred: open a private security advisory on GitHub.
• Please do not open a public issue for anything that could expose a forker's data (e.g., a hook that leaks file contents, a guardrail bypass, an unattended-routine footgun).

In scope, for example:

• Bypasses of git-guardrails.py (destructive-git blocking) or the pre-commit gate.
• A skill/hook that could exfiltrate or overwrite user data outside the repo.
• Incorrect security guidance (e.g., a documented pattern that claims to sandbox but does not — see the allowed-tools vs disallowed-tools note in templates/skill-template.md).
• Flaws in the confidential-data guidance (.claude/rules/confidential-data.md) that could lead to restricted-data exposure.

Solo-maintained academic project: acknowledgement within a week is the goal, a fix or documented mitigation as soon as practical. Credit given in the CHANGELOG unless you prefer otherwise.

• Vulnerabilities in Claude Code itself → report to Anthropic.
• Vulnerabilities in third-party R/Stata/Python packages the skills orchestrate → report upstream.