Do not open a public GitHub issue for security vulnerabilities.

Report privately to:

• Email: security@artificerinnovations.com
• GitHub: Private vulnerability reporting

Include a description, steps to reproduce, and impact. We aim to acknowledge reports within a few business days.

In scope

• Source code in this repository (template apps, packages/*, supabase/ migrations and Edge Functions)
• Published @beakerstack/* npm packages maintained from this repo
• RLS policies, auth flows, and billing patterns shipped as part of the template

Out of scope

• Deployments and infrastructure you operate in your own AWS, Supabase, or Stripe accounts
• Secrets, API keys, or environment configuration you add in forks
• Vulnerabilities in third-party services (Supabase, Stripe, Expo, etc.) — report those vendors directly
• Downstream applications built from forks unless they are clearly attributable to template code as shipped here

BeakerStack ships an operator admin surface (/admin on web only). See packages/admin/SECURITY.md for:

• Where admin status is stored (admin_users) and how grants work (service-role CLI only)
• Server-side RPC enforcement and audit logging
• Production responsibilities (dedicated operator accounts, audit retention, service role hygiene)

Non-admins must not be able to read admin tables or invoke admin RPCs successfully; route guards are not sufficient on their own.

Beaker Stack is a starting point, not a certified secure product. Before production use, review authentication, authorization (especially Row Level Security), billing webhooks, admin grants, and Edge Function secrets in your fork. Customize policies and threat model for your product and compliance needs.

Security fixes are applied on the active development branch and included in subsequent template releases and package semver bumps. Forks are responsible for merging those updates.