Please do not open a public issue for security vulnerabilities.

Report privately via GitHub's security advisories or email security@deverse.app. Include steps to reproduce and the affected version/commit. We aim to acknowledge reports within a few business days and will keep you updated on the fix.

This repository is the self-hostable DEVERSE application. When self-hosting, note:

• Bring your own secrets. API keys live in per-app .env files (gitignored) — never commit them. The dev defaults (SECRET_KEY, etc.) are for local use only; set real values in production.
• Generated apps run as host subprocesses under DEVERSE_WORKSPACE_DIR (the local sandbox). Run DEVERSE on a machine you trust; treat agent-generated code as untrusted.
• The agent executes shell commands and writes files inside the workspace — keep the workspace isolated from sensitive paths.

DEVERSE is pre-1.0 and under active development; security fixes land on main. Pin to a commit for production and update deliberately.