Current safeguards
- SSRF guardrails reject localhost, private IPs, link-local IPs, non-http(s) schemes, embedded credentials, and unsafe redirects for URL-fetching tools.
- Rate limits help protect public beta routes from overload and abuse.
- Production environment validation checks required deployment configuration before startup.
- The repository includes a secret scanner and dependency audit command used in the validation flow.
- Request logging is structured and avoids raw user text by default.
Responsible disclosure
A dedicated security email is not published yet. Use /.well-known/security.txt for the current policy link and disclosure status.
Do not send secrets, live credentials, wallet keys, seed phrases, private customer data, or exploit payloads beyond what is needed to describe the issue safely.