Rotom Table is currently a local-first, trust-based tabletop tool. The GM/Player session model is a role picker backed by a cookie; it is not hardened public authentication.

Do not expose this application publicly without replacing the current auth and persistence assumptions. A public deployment should include, at minimum:

• real authentication and authorization
• a persistence layer designed for hosted use instead of repository-tree JSON writes
• review of all mutating API routes
• content/asset rights review
• separation of private campaign data from public/static reference data

Do not submit real campaign/private data, credentials, secrets, private player information, unreleased story notes, or production environment files in issues, pull requests, screenshots, or logs.

The repository ignores common local environment files such as .env and .env.*; keep secrets out of Git.

If you find a security issue, report it privately to the repository owner/maintainer rather than posting exploit details publicly. Include:

• a short description of the issue
• reproduction steps
• affected routes or files, if known
• whether private data, filesystem writes, or role boundaries are involved

Because this is a hobby/local-first project, response times may vary, but reports that affect data safety or public exposure assumptions should be treated seriously.