This app handles one secret: the snapshot decryption passphrase. It
is entered into a form field each session, held in memory only for the
life of the tab, and never written to any storage (IndexedDB,
localStorage, cookies) or sent anywhere — the built page's Content
Security Policy (connect-src 'none') prevents any network request after
the initial asset load. The decrypted snapshot itself is also memory-only
and is discarded when the tab closes.
The only thing persisted across sessions is a File System Access API file handle (Chromium browsers only), saved in IndexedDB so a returning visit can offer one-click reopen. A handle is a reference the browser manages, not file contents or a secret.
Vulnerabilities in scope:
- Passphrase disclosure in the DOM, browser storage, or anywhere outside the in-memory form state
- The decrypt pipeline (age decrypt → gunzip → JSON parse → schema gate) bypassed, weakened, or made to accept tampered input undetected
- A way for the built app to make a network request despite the CSP
- Account data (balances, trade history) leaking anywhere other than the rendered page
- Dependency vulnerabilities with a plausible exploitation path in this app
Out of scope:
- mt5-pnl-exporter and mt5-pnl-cli — see their own security policies (exporter, cli)
- A compromised OS user session or browser profile — the documented trust boundary; anyone with that access can read whatever the browser can read
- Browser vendor bugs (e.g. a File System Access or CSP implementation flaw) — report those upstream
- GitHub Actions are pinned to commit SHAs (not mutable tags), so a
compromised or retagged action cannot inject code into CI.
Renovate keeps the pins current via
helpers:pinGitHubActionDigests. - Dependency update PRs (Renovate) must pass CI before auto-merging;
majors require manual review. See
renovate.json. - The Content Security Policy is enforced at build time, not just
documented:
vite.config.tsinjectsconnect-src 'none'(and a matching restrictive policy for scripts, styles, and other fetch directives) into the builtindex.html. Verify it on any deployment by viewing the page source.
Do not open a public GitHub issue for security vulnerabilities. Public issues expose the vulnerability before a fix is available.
Report privately via the Security tab — Report a vulnerability. This opens a private workspace visible only to you and the maintainer.
You will receive a response within 7 days. Once a fix is ready, I'll agree a disclosure date with you before publishing.