Last reviewed: 2026-02-05

Please do not open public issues for security reports. Contact the maintainers privately.

Suggested report details:

• Steps to reproduce
• Impact
• Affected routes or components
• Proof of concept (if available)

This project is under active development. Only the latest commit on main is supported.

• Firebase session cookies are verified server-side.
• Supabase service role key is server-only.
• API routes validate input with zod and return standardized error shapes.
• User-specific API responses are Cache-Control: private, no-store.
• Issue attachments accept only images under 5MB and use a dedicated Supabase storage bucket.

• Never commit secrets to the repository.
• Use .env.local for development.
• Store secrets in Vercel environment variables for production.

• Validate all inputs server-side.
• Keep service role keys and GitHub tokens server-only.
• Audit route handlers for no-store responses when data is user-specific.