If you discover a security vulnerability in DualSoul, please report it responsibly:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Send a description of the vulnerability to the maintainers via GitHub Security Advisories
3. Include steps to reproduce the issue and the potential impact

We will acknowledge your report within 48 hours and provide a timeline for the fix.

• Passwords are hashed with bcrypt (automatic salt generation)
• JWT tokens expire after a configurable period
• All social endpoints require valid Bearer token authentication

• All data is stored locally in SQLite
• Only the Twin personality description and current message are sent to the AI backend
• No conversation history is transmitted to external services
• Account deletion destroys all associated data

• All AI-generated messages are permanently marked with ai_generated: true
• The sender_mode field is immutable after message creation
• No message can falsely claim to be from a Real Self when generated by AI

• Set a strong DUALSOUL_JWT_SECRET (at least 32 characters)
• Use HTTPS in production (reverse proxy with nginx/caddy)
• Restrict the AI backend API key permissions to chat completions only
• Regularly back up the SQLite database