If you discover a security vulnerability in this repository, please report it responsibly.

Do not open a public issue for security vulnerabilities.

• GitHub: Use private vulnerability reporting

Security concerns for this MCP server include:

• Data Integrity: Ensuring PatternFly documentation and schemas are accurate and untampered.
• Execution Safety: Preventing malicious code execution through custom tool plugins.
• Path Escape: Ensuring the server cannot be used to read sensitive files on the host system via validated path resolution.

To maintain codebase integrity:

• PRs from non-core contributors that modify core behavior or exceed recommended file limits are considered placed on Policy Hold until they are reviewed in-depth to ensure architectural alignment.
• PRs from community contributors can refer to the mirrored guidance and status in the GitHub Actions workflow logs for helpful feedback.
• PRs require a secondary review by a maintainer to be promoted from Policy Hold status.

• Code Freeze: During the pre-release window, maintainers may limit what merges during release preparation. In this state, only stability or critical security patches are merged.
• Provenance: All official releases are published using npm publish --provenance to provide a verifiable link between the package and the GitHub Actions build.

See GOVERNANCE.md for the review layers that every contribution passes through before it can affect a user's system.

Only the latest semver major version on the main branch is supported.