Security model
A public-safe demo architecture with clear boundaries around simulated Web3 behavior.
Demo mode only
All wallet, contribution, milestone, and refund states are simulated with local data.
No secret recovery data
The app never asks for private keys, seed phrases, real signatures, or MetaMask access.
Validated inputs
Campaign creation and contribution forms validate bounds and sanitize displayed user text.
Server-side secrets ready
The project includes .env.example and keeps future service keys out of client components.
Applied defaults
Security headers are configured in Next.js for frame denial, content-type sniffing protection, strict referrer behavior, and disabled browser permissions for camera, microphone, geolocation, payment, and USB.