security

user authentication is handled via google oauth2 and django simplejwt. jwts are kept in a module-level memory store for synchronous access and also persisted to localStorage so sessions survive page refreshes. because localStorage is readable by any javascript on the page, xss vulnerabilities could expose tokens — keep all third-party scripts minimal and trusted.

treat broker credentials and tokens as sensitive secrets. only provide them in trusted environments.

if you discover a security issue, report it privately to the team before public disclosure.