Security Review

Checked Areas

Shell execution: browser auto-open is gated by AUTO_OPEN_BROWSER and defaults to false.
Secrets: .env remains ignored; .env.example contains no real keys.
External network calls: source fetches use timeout/retry diagnostics and expose degraded state.
Manual actions: /api/sweep and /api/action are gated by TERMINAL_ACTIONS_ENABLED and local-only or SWEEP_TOKEN authorization.
File writes: runtime writes are limited to runs/.
HTML injection: dashboard data is JSON-injected only by the CLI path; server mode serves data through API/SSE.

TERMINAL_ACTIONS_ENABLED=true enables dashboard-triggered status, sweep, and brief actions through POST /api/action.
If SWEEP_TOKEN is set, callers must send the token through x-sweep-token, Authorization: Bearer ..., or the token request body field.
If SWEEP_TOKEN is empty, actions are accepted only from local loopback addresses.
For private Dockge/LAN deployments, this is intended to make the terminal operable from the browser.
For Pangolin or other internet-exposed deployments, set SWEEP_TOKEN or TERMINAL_ACTIONS_ENABLED=false until the public reverse-proxy hardening issue is completed.

External feeds can return malformed, stale, or adversarial content. UI rendering should continue to sanitize titles and URLs.
LLM outputs are advisory only and must not be treated as financial advice.
node:sqlite availability depends on the Node 22 build; when unavailable the memory database degrades to a no-op placeholder.
Browser-stored sweep tokens are acceptable for a trusted home-server UI, but should not be treated as a strong auth boundary on a public endpoint.