Savio is a PM portfolio demo, not a production financial product. The codebase, the live demo at savio-financial-app.netlify.app, and the seeded database state are intended for case-study viewing — not for handling real user financial data.

If you find a security issue, please report it privately rather than opening a public GitHub issue:

• GitHub: use private vulnerability reporting on this repository ("Security" tab → "Report a vulnerability").
• Expect acknowledgement within ~7 days. Triage and any fix happen on a best-effort timebox since this is a portfolio piece, not a staffed product.

What's in scope:

• Vulnerabilities in code under src/, supabase/functions/, or scripts/.
• RLS bypass, auth bypass, or any path that returns another user's data (the demo is single-tenant — there's only Priya — but the policy generalisation matters).
• Dependency CVEs not already covered by Dependabot.

What's out of scope:

• Anything in docs/, prompts/, or tests/ (documentation / fixtures).
• The choice to keep historical git commits (see below).
• Social engineering of the project owner.

Everything user-facing in the demo — the email priya@savio.demo, the ₹98,000 income, the 13 commitments, the ~600 transactions, the 5 pre-labeled reflections — is synthetic seed data generated by supabase/migrations/0006_seed_priya.sql. There is no real user PII in this repo or in the live demo's database.

Earlier in the project, two credentials were briefly committed to source control, detected, and rotated:

Both literal values are no longer valid for any access but remain visible in the repo's git history (in commits prior to 7949738, which scrubbed them from the working tree).

We chose to disclose rather than rewrite history. Rewriting would change every downstream SHA and is high-cost for a portfolio repo with no downstream consumers. If you find these strings while reading history, they are dead values. If you find a new leak in current code or recent commits, please report it via the path above.