Please do not file a public GitHub issue for security problems.

Email: 85276107+Lutiancheng1@users.noreply.github.com (use the GitHub UI to obtain the maintainer's actual email if needed).

You can expect:

• An acknowledgement within 3 business days.
• An initial assessment within 7 business days.
• A patch or mitigation plan within 30 days, depending on severity.

We follow coordinated disclosure: please give us a reasonable window before publishing details.

This project is a local single-user proxy. The threat model is:

• Out of scope: the Gemini Web frontend, Google's CDN, the gemini-webapi library, the user's local browser cookie store.
• In scope: the proxy's HTTP surface, configuration handling, the file at GOP_DATA_DIR/runtime.env, the model registry file.

• data/runtime.env (when generated by scripts/sync_runtime_env.py) is written with chmod 600.
• The Docker Compose file mounts data/ into the container but does not expose the container's filesystem to the network.
• Optional Bearer auth via GOP_API_KEY. Empty by default; explicitly opt in when exposing the proxy to other hosts.

• Treat your __Secure-1PSID / __Secure-1PSIDTS as a password. Never commit them, never paste them into a chat, never put them in an image.
• If you enable GOP_API_KEY, set it to a long random string. Don't reuse a password.
• Run the proxy on 127.0.0.1 when you can.