Please do not open a public GitHub issue for security vulnerabilities.

Email the maintainers at developers@davian.space with:

1. A description of the vulnerability.
2. Steps to reproduce.
3. The potential impact.
4. Any suggested mitigations (optional).

We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days.

davianspace_hosting is a framework-level package that manages application lifecycle, configuration, and dependency injection. The following areas are security-relevant:

• Configuration values may contain secrets (API keys, connection strings). Ensure configuration sources are loaded from trusted origins only.
• The default builder loads appsettings.json, environment variables, and command-line arguments. Avoid logging raw configuration values in production.

• The DI container instantiates and disposes services. Ensure that service factories do not introduce untrusted code or unvalidated inputs into the container.

• The host listens for SIGINT and SIGTERM to trigger graceful shutdown. This is standard behaviour and does not elevate privileges.

• This package depends exclusively on first-party davianspace_* packages and the official Dart test and lints dev-dependencies. No third-party runtime dependencies are used.