Use the latest version of the repository main branch.

We take a "Local-First" and "Fail-Safe" approach to security.

• Client-Side Storage: API keys are stored exclusively in your browser's localStorage. They are never saved to a database or disk on the server.
• Transmission: Keys are transmitted via encrypted headers (Authorization or X-Poe-Api-Key) directly to the AI provider (via the local proxy).
• No Logging: The server is designed to act as a stateless pass-through for authentication. Keys are not logged.

• Strict Schemas: We use Zod schemas to narrowly define and validate all inputs (e.g., file types, JSON structures).
• Sanitization Pipelines:
  • LaTeX Injection: All AI output passes through sanitizeLatexOutput() to strip potential command injections or leaked formatting.
  • Export Safety: Before download, files are processed by sanitizeLatexForExport() to ensure compilation safety.

• Local Environment: The application is designed to run locally or in an isolated container.
• Ephemeral Storage: Uploaded documents are processed in temporary directories and validated for MIME types (application/pdf, text/plain).

Please open a GitHub Issue with the label security.

1. Open a new issue.
2. Describe the vulnerability in detail.
3. Provide steps to reproduce.
4. We will review it within the standard open-source contribution cycle.