Until the first public release, security fixes target the main branch only.
EvoMap Console is designed to be local-first:
node_secretvalues are stored in macOS Keychain per sender ID.- Knowledge Graph API keys are stored in macOS Keychain.
- The repository must not contain live API keys, node secrets, claim codes, account balances, or real user screenshots.
Please do not open a public issue for a vulnerability that exposes credentials, account data, or private node details.
Before this project has a public security contact, report privately to the repository owner through GitHub. Include:
- affected version or commit
- reproduction steps
- expected impact
- whether secrets or account data may be exposed
Run this before publishing or opening a release PR:
./scripts/open_source_audit.sh