17 lines
901 B
Markdown
17 lines
901 B
Markdown
# Security Review
|
|
|
|
## Checked Areas
|
|
|
|
- Shell execution: browser auto-open is gated by `AUTO_OPEN_BROWSER` and defaults to false.
|
|
- Secrets: `.env` remains ignored; `.env.example` contains no real keys.
|
|
- External network calls: source fetches use timeout/retry diagnostics and expose degraded state.
|
|
- Manual actions: `/api/sweep` is local-only unless `SWEEP_TOKEN` is configured.
|
|
- File writes: runtime writes are limited to `runs/`.
|
|
- HTML injection: dashboard data is JSON-injected only by the CLI path; server mode serves data through API/SSE.
|
|
|
|
## Residual Risk
|
|
|
|
- External feeds can return malformed, stale, or adversarial content. UI rendering should continue to sanitize titles and URLs.
|
|
- LLM outputs are advisory only and must not be treated as financial advice.
|
|
- `node:sqlite` availability depends on the Node 22 build; when unavailable the memory database degrades to a no-op placeholder.
|