Security Model

Future Gadget Lab keeps public and protected concerns separate.

Public rules

• No sensitive backend URL is exposed to the browser.
• No protected server token is embedded in client code.
• Public copy stays concept-level and non-reconstructive.

Server rules

• Browser traffic flows through Next route handlers.
• Sensitive integrations are environment-gated.
• Webhooks and external inputs must be validated before side effects.