| Surface | Supported |
|---|---|
production branch (deployed service) |
Yes — receives fixes via promotion from main |
main branch |
Yes — active development |
| Anything else (forks, old commits) | No |
Please use GitHub private vulnerability reporting: open Security → Advisories → Report a vulnerability on this repository. Do not open a public issue for security reports.
What to include: affected endpoint/component, reproduction steps or proof of concept, impact assessment, and any suggested fix.
This is a single-maintainer project: expect acknowledgement within 7 days and a fix or mitigation plan within 30 days for confirmed issues. Coordinated disclosure is appreciated; you will be credited in the advisory unless you ask otherwise.
- The deployed API enforces HTTPS, rate limiting, and optional token-based access control for cost-bearing endpoints.
- Secrets are never stored in the repository: provider keys live in the
prod-validationGitHub environment and the Render dashboard (sync: falseinrender.yaml). - Dependency and code scanning run continuously (Dependabot alerts + security
updates, CodeQL
security-extended, secret scanning with push protection, weeklynpm auditgate).