Security fixes are handled on the latest master branch and the latest tagged release.

Please do not open a public issue with exploitable details or private data. Use GitHub private vulnerability reporting if it is enabled for the repository. If it is not enabled, open a minimal public issue asking for a private contact path, without including secrets, local paths, media names, or proof-of-concept details.

• No internet permission is requested by the app.
• Release signing material is expected to be supplied through GitHub Actions secrets or an untracked local key.properties.
• local.properties, keystores, environment files, temporary files, and local assistant/project notes are ignored by Git.
• App backup is disabled to avoid exporting local playback state and scanned media path settings.
• The public package namespace is io.github.localtv, so release builds do not expose a personal maintainer handle through the Android application ID.

Before publishing a release:

1. Run a secret scan against tracked files and Git history.
2. Publish from a sanitized history or a fresh public repository snapshot.
3. Build from a clean checkout.
4. Verify release artifacts are signed with the intended key.
5. Do not upload debug APKs, keystores, key.properties, local.properties, or local test media.