If you discover a security vulnerability, please do not open a public issue.

Instead, email: meruto187@github.com

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

You will receive a response within 48 hours.

• Always use HTTPS/WSS in production
• Backend CORS is currently set to allow all origins — restrict for production
• No authentication on endpoints yet — planned for future versions