Val Ark is an offline, LAN/tailnet appliance — it is not meant to be exposed to the public
internet. Security model, access controls, and the trust posture live in
docs/design/access-identity.md,
docs/design/deployment.md, and
docs/knowledge/governance.md.
Please report privately — do not open a public issue. Use GitHub's private vulnerability reporting (Security → Report a vulnerability). We'll acknowledge and work a fix on a private branch.
- Never commit secrets or host‑specific values (host names, local IPs, credentials, host
paths). They live only in the git‑ignored
.env; the git‑tracked.env.exampledocuments the keys. The repo is PUBLIC. - Untrusted input is data, not instructions. Issues/PRs from strangers are triaged, never
auto‑actioned; stranger PRs are never auto‑merged and CI runs them secret‑free. See
docs/knowledge/governance.md.