If you discover a security vulnerability in DocVault, please report it responsibly:

1. Do not open a public GitHub issue
2. Use GitHub Security Advisories to report privately
3. Include steps to reproduce, impact assessment, and suggested fix if possible

• Never commit .env files to version control. The pre-commit hook blocks this automatically.
• Copy .env.dev (development) or .env.production (production) to .env and fill in your own keys.
• Rotate DOCVAULT_JWT_SECRET immediately if it is ever exposed. Use at least 64 random characters.
• API keys (GEMINI_API_KEY, ANTHROPIC_API_KEY, OPENAI_API_KEY) should be scoped to this project only.

Before deploying to production:

• Set DOCVAULT_DEBUG=false
• Set a strong, unique DOCVAULT_JWT_SECRET (64+ characters)
• Replace CORS wildcard with explicit origins in DOCVAULT_CORS_ORIGINS
• Use HTTPS via Caddy (make prod handles TLS automatically)
• Set unique passwords for PostgreSQL, Langfuse, and Grafana
• Review rate limits (DOCVAULT_RATE_LIMIT_*) for your expected traffic
• Run pip-audit and pnpm audit to check for dependency vulnerabilities

cd backend && uv run pip-audit     # Python dependencies
cd frontend && pnpm audit --prod   # Node dependencies

The CI pipeline runs these checks automatically on every pull request.