This repository includes an MVP intended for demonstration and education. It is not production-hardened.

• Gateway uses a static token and a simple allowlist for authorization.
• Services run with local process privileges and may access your filesystem or network depending on configuration.
• Do not run untrusted services; review code before enabling them.

If you discover a security issue, please open a private issue or contact the repository owner. Avoid sharing exploit details publicly until a fix is available.

• Stronger auth (OIDC/mTLS), contextual policy, sandboxing, and signed artifacts.
• Redaction, purpose binding, and auditable logs with tamper evidence.