music-orchestrator/SECURITY.md
Kisskin-Mister 8d8076bd3f
Some checks failed
CI / backend (push) Failing after 1m53s
feat: initial backend-first music orchestrator MVP
2026-07-10 10:02:23 +03:00

908 B

Security Policy

Supported scope

This repository is a local/personal backend-first MVP. It is not a public SaaS product and should not be exposed to the internet without a separate hardening review.

Secrets

Do not commit .env, API keys, SoundCloud credentials, YouTube API keys, Navidrome tokens, cookies, or extractor credentials. Use .env.example placeholders only.

Provider compliance

Default mode is compliant-only:

  • APP_ENABLE_RISKY_EXTRACTORS=false
  • no yt-dlp download/cache implementation
  • no cookie extraction
  • no YouTube raw-audio proxying/streaming
  • no SoundCloud persistent cache/offline storage
  • external providers expose capability and policy flags to the frontend

Reporting vulnerabilities

Open a private report or issue with:

  • affected endpoint
  • expected vs actual behavior
  • reproduction steps
  • whether provider credentials or user data could be exposed