# Security policy

## Supported versions

This repository is under active development. Security fixes land on the default branch (`main`) first.

## Reporting a vulnerability

Please email the repository maintainers with:

- a short description of the issue
- steps to reproduce (if applicable)
- affected component (`solver-api`, `gui-ts`, `solver-c`, Docker, etc.)

Do not open a public issue for undisclosed vulnerabilities.

## Scope notes

- The local API is intended for **trusted development networks**. Do not expose it to the public internet without hardening (TLS, auth, rate limits, reverse proxy).
- Treat uploaded XML as untrusted input at API boundaries.
- `CORS_ORIGINS` can be set to a comma-separated allowlist for browser clients; default behavior is permissive for local development.
- For production-like deployments, disable runtime compiler dependencies and prebuild `solver-c/solver_main` and `solver-c/solver_fea_main`.