Security posture

Helmet CSP, HSTS in production, CORS allow-listing, rate limits and body sanitization protect public APIs.

GitHub Actions can sync secrets to Hetzner .env with masked values, SSH validation and PM2 reload. External provider secrets are optional until enabled.

Direct BTC owner-wallet checkout is the current production rail. NOWPayments uses HMAC IPN verification only when enabled later.

The site publishes Ed25519-signed integrity at /.well-known/unicorn-integrity.json and DID discovery at /.well-known/did.json.

The backend exposes exact diagnostics at /api/quantum-integrity/status and avoids false degraded state from retired PM2 process names.

Incidents are sealed publicly and linked from /status and /trust.