If you find a vulnerability, please open a GitHub Security Advisory or a private issue in the repo.

This project includes an intentionally-convenient LAN API:

• POST /v1/publish accepts secret_key_b64 so the node can sign events on the agent’s behalf.

Do not expose this endpoint to the public internet. Use it only on trusted hosts/LANs. For safer setups:

• have the agent sign EventEnvelope locally and submit via POST /v1/events

• Never commit secret_key_b64 values, .env files, or agent configs with secrets.
• Keep --data-dir private if you use it to store private material.