# Security Policy

ZIP packages must be validated for manifest existence, path traversal, and size limits in production hardening.

## Script sandbox policy

UnifiedSpread Script runs with a restricted injected API. DOM, window, document,
network, localStorage/sessionStorage, eval/Function, Shell, COM/ActiveX, Win32
API and direct file system access are not part of the script contract.  Host
systems may replace the default sandbox with an iframe or Worker implementation
through the same service boundary.
