Please report security issues privately via GitHub's private vulnerability reporting rather than a public issue. Include a description, affected version, and a reproduction if possible. You'll get an acknowledgement and a fix or mitigation plan.

This package is built and published with a deliberately conservative supply chain. Please preserve these properties in any CI/release change:

• Pinned GitHub Actions. Every action in .github/workflows/ is pinned to a full commit SHA (not a moving tag), so a compromised or retagged action cannot silently change the build. Dependabot (.github/dependabot.yml) proposes updates as reviewable PRs.
• OIDC trusted publishing. Releases publish to PyPI via pypa/gh-action-pypi-publish using OpenID Connect - there is no stored PyPI API token in the repository or CI secrets. Do not introduce twine upload with a long-lived token.
• Build attestations. The release workflow publishes with attestations: true (PEP 740), so artifacts are linked to the workflow that produced them.
• Least privilege. Workflows default to permissions: contents: read; only the publish job opts into id-token: write.
• No curl | bash in CI. Don't pipe remote scripts into a shell in the build; install from pinned, vetted sources.

• import cortex_score and the CPU-only scoring path require only numpy + pydantic + platformdirs - no network access, no code execution from data. Bundled atlas .npy files are loaded with allow_pickle=False.
• Bundled atlas data is SHA-256 fingerprinted in data/manifest.json and verified on load; a tampered wheel raises AtlasMismatchError.
• ScoreResult is PII-safe by default: only the input file's basename is recorded; the absolute path is opt-in (include_absolute_path=True).
• The full score() path runs third-party model code (TRIBE v2); install it only from the pinned requirements/tribev2-gpu.txt.

This is pre-1.0 software; security fixes target the latest released version.