This project is a local-first prototype and does not currently provide production hosting guarantees.
Please report security issues privately if possible. If GitHub private vulnerability reporting is enabled, use that. Otherwise, open a minimal issue that says a private security report is needed without posting exploit details.
Relevant areas include:
- room/session recovery
- reconnect tokens
- host-only moderation actions
- cross-device LAN access
- dependency vulnerabilities
Do not publish working exploit steps in public issues.