docs: wrap security policy prose

This commit is contained in:
2026-06-21 16:52:19 +02:00
committed by Milas Holsting
parent fb8433a435
commit cdf322602f

View File

@@ -18,8 +18,8 @@ Report security concerns privately to the repository maintainer. Include as much
- the potential impact; - the potential impact;
- any suggested fix or mitigation, if you have one. - any suggested fix or mitigation, if you have one.
You can expect a best-effort response acknowledging the report, followed by validation and a fix when You can expect a best-effort response acknowledging the report, followed by validation and a fix
the issue is reproducible and in scope. when the issue is reproducible and in scope.
## Security Scope ## Security Scope
@@ -48,17 +48,17 @@ The following are generally out of scope unless they expose a direct application
## Operational Notes ## Operational Notes
This application is designed to be self-hosted and local-first. If you deploy it beyond a private This application is designed to be self-hosted and local-first. If you deploy it beyond a private
local environment, you are responsible for the surrounding production controls, including TLS, network local environment, you are responsible for the surrounding production controls, including TLS,
access, backups, secrets management, reverse proxy configuration, logging retention, and dependency network access, backups, secrets management, reverse proxy configuration, logging retention, and
monitoring. dependency monitoring.
Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real
secrets, provider tokens, session data, or production databases to the repository. secrets, provider tokens, session data, or production databases to the repository.
## Dependency Security ## Dependency Security
Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal local Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal
checks before merging: local checks before merging:
```bash ```bash
just check just check