Security

Use HTTPS for production traffic. Authenticated application areas are protected by Clerk, and Laravel requests should flow through the live-auth proxy where session context is required.

API keys and provider secrets must be stored server-side and never committed to the repository or exposed in browser code.

Uploaded audio and generated files should be handled with access control, retention limits, and clear deletion practices appropriate to the plan and workflow.

Report suspected vulnerabilities, account compromise, or abuse through the contact/support channel with enough detail to reproduce the issue.