Security model

A public-safe demo architecture with clear boundaries around simulated Web3 behavior.

Demo mode only

All wallet, contribution, milestone, and refund states are simulated with local data.

No secret recovery data

The app never asks for private keys, seed phrases, real signatures, or MetaMask access.

Validated inputs

Campaign creation and contribution forms validate bounds and sanitize displayed user text.

Server-side secrets ready

The project includes .env.example and keeps future service keys out of client components.

Applied defaults

Security headers are configured in Next.js for frame denial, content-type sniffing protection, strict referrer behavior, and disabled browser permissions for camera, microphone, geolocation, payment, and USB.