If you discover a security vulnerability, please email [email protected] instead of opening a public issue.

The POST /api/reviews endpoint is intentionally open (no API key required). This is by design — the crit CLI needs to upload reviews without user accounts or tokens. Protection is provided by:

• Rate limiting — write endpoints are limited to 30 requests/minute per IP via Hammer
• Size limits — 10 MB total per review, 50 KB per comment, 500 comments max, 200 files max
• Auto-expiry — reviews are automatically deleted after 30 days of inactivity

Reviews are deleted by presenting a delete_token (returned at creation time). The crit CLI stores this in .crit.json. There are no user accounts.

Visitor identity is session-based (cookie). Display names are stored per-session and used for comment attribution. There is no authentication system.

The API only accepts requests from localhost and 127.0.0.1 origins, since the only intended API client is the local crit CLI.