K
Cloud API keys
Use narrowly scoped provider tokens where possible. Rotate any key that appears in logs, screenshots, or test output.
Security model
Know what credentials the tool needs before you deploy.
PrivateDeploy automates sensitive infrastructure. Treat cloud API keys, SSH keys, node passwords, and generated subscription links as production secrets.
S
SSH material
DigitalOcean recovery uses a managed ed25519 keypair that can access created droplets as root.
N
Node credentials
Protocol passwords, UUIDs, Reality keys, and share links are secrets.
L
Local storage
Provider tokens and sensitive config should use OS keyring-backed storage rather than plaintext files.
Preview release safety checklist
Before distributing a build, complete these checks for that exact tag.
Area
Gate
Required outcome
Secret scan
Required
No API keys, private keys, tokens, passwords, node links, or subscription URLs in source or artifacts.
Release artifacts
Required
Every binary has a SHA256 checksum and comes from the same commit/tag.
Cloud smoke tests
Provider-specific
Only list a provider after create, deploy, connect, recover where applicable, and delete pass.
iOS support
Conditional
Mark iOS as build-required unless VPNCore and entitlements are validated on a real device.
Data handling
PrivateDeploy should be evaluated as a local-first infrastructure tool.
Not a hosted VPN service
The project does not provide shared proxy servers. You deploy nodes into accounts and hosts you control.
Secrets stay sensitive
Cloud API keys, managed SSH keys, node passwords, UUIDs, and subscription links should not be pasted into public issues.
Report vulnerabilities
Use GitHub issues for non-sensitive bugs. For exploitable reports, use a private GitHub security advisory when available.
Responsible use
Use PrivateDeploy only with infrastructure and accounts you own or have authorization to manage. Review cloud provider terms before deploying.
local release gate
bash scripts/check_versions.sh
scripts/secret_scan.sh