If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Email the maintainer or use GitHub's private vulnerability reporting
3. Include steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure

This project runs a local HTTP server (port 9889) with SQLite. Security considerations:

• API authentication: Optional API key via AC_API_KEY environment variable
• No remote access by default: Server binds to localhost only
• No secrets in code: All credentials are loaded from environment variables
• SQLite: No external database connections or credentials