UNIO is pre-1.0 private software. The latest private release is the only supported build.

Report security issues privately to the repository owner. Do not open a public issue with secrets, tokens, screenshots of private accounts, database URLs, or exploit details.

Include:

• affected version
• operating system
• reproduction steps
• expected behavior
• actual behavior
• relevant logs with secrets removed

Never commit or upload:

• .env
• GitHub tokens
• Discord OAuth client secrets
• Discord bot tokens
• Turso auth tokens
• Groq API keys
• Lavalink passwords
• Chrome extension .pem signing keys
• database exports with real user data

If a secret is exposed, rotate it immediately.

Before publishing a release, inspect the source zip and git status for:

• .env
• .pem
• .key
• github_pat
• node_modules
• src-tauri/target
• debug logs

Private repositories can still leak through copied zips, screenshots, logs, or future collaborator access.

Focus Guard is not a security boundary. Users can bypass it by changing browsers, profiles, policies, extensions, proxy settings, or OS state.

Keep these updated carefully:

• npm packages
• Rust crates
• Tauri
• Chrome extension manifest behavior
• Discord API assumptions

Run build and guard tests after updates.