If you discover a security vulnerability in this project, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, email: security@commandlayer.org

Please include:

• A description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if any)

We will acknowledge receipt within 48 hours and provide a detailed response within 7 days.

This runtime handles cryptographic signing and verification. Operators should:

1. Protect signing keys -- never expose RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64 in logs or client responses.
2. Gate debug routes -- set DEBUG_ROUTES_ENABLED=0 (default) in production, or protect with DEBUG_BEARER_TOKEN.
3. Restrict CORS -- configure CORS_ALLOW_ORIGINS to specific origins; never use * in production.
4. Enable SSRF guard -- keep ENABLE_SSRF_GUARD=1 (default) and use ALLOW_FETCH_HOSTS to restrict outbound domains.
5. Use HTTPS -- always deploy behind TLS termination in production.
6. Pin dependencies -- use npm ci with the lockfile for reproducible builds.