RexAlgo handles Mudrex API secrets and session tokens. Treat this like production financial software.

• Never commit backend/.env.local, .env, or real Mudrex keys. Templates: backend/.env.example, root .env.example (Docker).
• Production: Use long random values for JWT_SECRET and ENCRYPTION_KEY (see .env.example). Rotate if leaked.
• Database: SQLite file permissions; in Docker, use a named volume and restrict host access.

• Mudrex API secret is securely encrypted in storage, and JWT is held in an HttpOnly cookie for session management.
• API routes that touch Mudrex should remain authenticated where appropriate (see backend/src/middleware.ts).
• Copy-trading webhooks (POST /api/webhooks/copy-trading/*) are unauthenticated but HMAC-signed (see backend/src/lib/copyWebhookHmac.ts). Signing secrets are encrypted in SQLite like user secrets. Rotate a leaked secret from Copy trading studio (open it from Master studio in the top nav). A simple per-strategy rate limit applies in-process (backend/src/lib/copyWebhookRateLimit.ts); add gateway rate limits in production.

• A verified webhook can cause real orders on followers’ Mudrex accounts. Masters must protect bot credentials and webhook URLs.
• Partial failures are expected (margin, exchange rules); check studio signal history and server logs. This is not a guarantee of identical fills across accounts.

• Open a private security advisory on GitHub, or contact the repository owner privately.
• Do not post exploit details in public issues before a fix is available.

RexAlgo is not affiliated with Mudrex. Trading crypto futures carries significant risk. This document is not legal or compliance advice.