If you discover a security vulnerability in Astrapai, please report it responsibly.

Do not open a public issue. Instead, email security concerns to the maintainers via GitHub's private vulnerability reporting.

We will acknowledge receipt within 48 hours and provide an estimated timeline for a fix.

The following are in scope for security reports:

• Authentication bypass or session hijacking
• Row Level Security policy gaps (cross-user data access)
• Server Action vulnerabilities (unauthorized mutations)
• XSS, CSRF, or injection attacks
• Exposed secrets or credentials in the repository

Astrapai enforces security at multiple layers:

• Middleware -- All routes except /login and /auth/* require authentication
• Row Level Security -- Every database table enforces user_id = auth.uid()
• Server Actions -- All mutations run server-side; no client-side Supabase writes
• Schema isolation -- story_platform schema revokes anon role entirely
• Assertion Lockdown -- Blocks script generation when disputed fact claims exist