openconductor

Critical security risks identified: 1. Hardcoded production Supabase database credentials (username, password, host, port) are present in multiple shell scripts (`scripts/run-stacks-migration.sh`, `scripts/add-server.sh`, `scripts/pull-supabase-data.sh`). This is a severe vulnerability as it exposes direct database access. 2. The PostgreSQL connection in `api/v1/servers.ts` uses `ssl: { rejectUnauthorized: false }`. This disables SSL certificate validation, making the connection vulnerable to Man-in-the-Middle (MITM) attacks, especially if used in a production environment. 3. Public API endpoints use a `Access-Control-Allow-Origin: *` header, which is acceptable for a public registry API but requires careful consideration for any potentially sensitive data. 4. The CLI's ability to install arbitrary NPM packages (derived from server data from the registry) could introduce vulnerabilities if the registry or packages themselves are compromised.