Portfolixir handles sensitive financial data. Treat it as a private finance system by default.
- Do not store real financial fixtures in the repository.
- Do not store secrets in source code.
- Do not write
.envfrom the web UI. - Do not make external LLM calls from the application in the MVP.
- Do not call real market-data providers in tests.
- Do not implement trading, broker order placement, wallet signing or bank payment flows.
- Do not use
String.to_atom/1on external input.
Never commit:
- real Portfolio Performance files
- broker statements
- bank transactions
- wallet addresses if they identify the user
- API keys
- account numbers
- private notes about holdings
Open a private issue or contact the maintainer directly for security concerns.