Please report security issues privately — do not open a public issue.

Use GitHub's "Report a vulnerability" button under this repository's Security tab (Security Advisories). We'll acknowledge your report and work with you on a fix and a disclosure timeline.

Copal Tools targets trusted LAN / single-operator environments. Understand this before deploying:

• CopalVX server ships with no authentication layer by design — it assumes a trusted local network. Do not expose it to the public internet or port-forward it; run it behind a firewall or VPN. Anyone who can reach the API can read, write, and delete project data. If you need it on a less-trusted network, put an authenticating reverse proxy and network ACLs in front of it.
• CopalPM's time-tracking daemon binds to 127.0.0.1 only and authenticates requests with a key generated locally on first run.
• Server secrets (database password, S3 keys) live only in a gitignored .env file. Never commit real credentials. If a credential ever reaches git history, rotate it — removing it from the latest commit is not enough.

Security fixes land on main. There is no separate long-term-support branch.