If you discover a security vulnerability, please report it privately:

1. Do NOT create a public GitHub issue
2. Email: Create a private security advisory
3. Include detailed description and reproduction steps

Response Timeline:

• Initial response: Within 48 hours
• Fix timeline provided: Within 7 days
• Security patch released: Based on severity

When deploying this application:

• Never share your API_SECRET_KEY
• Use strong, randomly generated values for all secrets
• Regularly update dependencies (pip-audit)
• Monitor logs for security events
• Enable GitHub's security features (secret scanning, dependabot)

This codebase includes:

• ✅ Global API key authentication (middleware)
• ✅ SQL injection prevention (whitelisting + ORM)
• ✅ XSS protection (HTML escaping)
• ✅ IDOR protection (user validation)
• ✅ Security headers (CSP, HSTS, X-Frame-Options)
• ✅ Rate limiting (tier-based)
• ✅ Request size limiting (DoS protection)
• ✅ Timing-safe comparisons
• ✅ Error message sanitization

The following measures protect sensitive environment variables from unauthorized access:

• ✅ .env file has restrictive permissions (chmod 600 - owner read/write only)
• ✅ Pre-commit secret scanning config is included (install to enforce before commits)
• ✅ .gitignore excludes .env and all secret files

• ✅ .opencodeignore file prevents AI agents (OpenCode, Claude Code, etc.) from reading:
  • .env files
  • Key and certificate files (*.key, *.pem, *.crt)
  • Secrets directories
  • VSCode settings (may contain API keys)
  • Log files and databases

# Install pre-commit hooks (recommended)
pre-commit install

# Run secret scan manually
pre-commit run --all-files

# Use the secure launcher
./run_secure.sh backend    # Start backend
./run_secure.sh bot        # Start Telegram bot

# Or run manually with environment checks
cd backend && uvicorn app.main:app --reload

Security review completed February 2026.