Conner Majic
ce137dd1c2
Update contributor, security, validation, and compute handoff documentation to reflect new runtime safeguards, CI gates, and expected regression checks. Made-with: Cursor
23 lines
944 B
Markdown
23 lines
944 B
Markdown
# Security policy
|
|
|
|
## Supported versions
|
|
|
|
This repository is under active development. Security fixes land on the default branch (`main`) first.
|
|
|
|
## Reporting a vulnerability
|
|
|
|
Please email the repository maintainers with:
|
|
|
|
- a short description of the issue
|
|
- steps to reproduce (if applicable)
|
|
- affected component (`solver-api`, `gui-ts`, `solver-c`, Docker, etc.)
|
|
|
|
Do not open a public issue for undisclosed vulnerabilities.
|
|
|
|
## Scope notes
|
|
|
|
- The local API is intended for **trusted development networks**. Do not expose it to the public internet without hardening (TLS, auth, rate limits, reverse proxy).
|
|
- Treat uploaded XML as untrusted input at API boundaries.
|
|
- `CORS_ORIGINS` can be set to a comma-separated allowlist for browser clients; default behavior is permissive for local development.
|
|
- For production-like deployments, disable runtime compiler dependencies and prebuild `solver-c/solver_main` and `solver-c/solver_fea_main`.
|