Anywhere is currently intended for trusted local networks and private development environments.

• Execution stays on the developer's machine.
• Provider credentials and T3 Code auth remain in the local T3 Code setup.
• Non-loopback phone API requests require QR pairing.
• Pairing tickets are short-lived.
• Paired phone credentials expire after 30 days and can be revoked from the macOS Bridge.

The daemon exposes a local HTTP API, usually on port 4242, and binds to 0.0.0.0 by default so a phone on the LAN can reach it. Do not expose this port directly to the public internet.

Please report security concerns privately to the project maintainer before opening a public issue. Include:

• the affected component
• reproduction steps
• expected impact
• any relevant logs or request examples, with tokens and local paths removed

Do not commit .anywhere/ runtime state. It can contain local paths, project metadata, pairing state, and other machine-specific configuration.