If you discover a security vulnerability, please do not open a public GitHub issue. Instead, report it privately:
- Open a GitHub Security Advisory on this repository (Settings → Security → Advisories → New draft).
- Describe the vulnerability, reproduction steps, and potential impact.
A maintainer will respond within 72 hours to acknowledge receipt and discuss a fix timeline.
.env,.env.*, or any file containing API keys, passwords, or tokenstools/keys/(gitignored)secrets.jsonor*.local.json(gitignored)~/.claude/.credentials.json(lives only on the host machine)
The .gitignore in this repository explicitly excludes these patterns. Do not
override them.
Claude OAuth access and refresh tokens are stored in two places only:
-
Host machine —
~/.claude/.credentials.json, written byclaude login. Never committed. Thetools/provisionandtools/creds-watchertools read this file and push tokens to the board over USB serial or WiFi. -
Device NVS — stored in the ESP32's Non-Volatile Storage partition, which is on-chip flash. NVS is not exported or transmitted; it is only accessible via the device API when a valid passcode is set, or over USB serial.
Tokens are never logged in full. The provisioning tools redact them to a short
prefix for display (e.g., eyJ...abc123).
The device API (port 8080) optionally requires an X-EspScreen-Secret header
for all requests. Set a passcode from the web portal Settings tab or via serial:
api set-secret <your-secret>
When set, unauthenticated API requests receive 401 Unauthorized. The web
portal (port 80) uses the same secret for its API calls; the portal UI itself
is not password-protected.
The passcode is stored in NVS (not transmitted back via any API endpoint).
Recommendation: set a passcode on any device reachable on a shared or untrusted network.
- The device does not expose any service to the internet by default; it connects to your local WiFi network only.
- The SoftAP (
EspScreen-Setup) is active only during first-boot setup. After WiFi credentials are saved and the device reboots, the AP is disabled. - No authentication is required on the SoftAP captive portal by design — the intent is ease of first-time setup on an isolated temporary network.