MD Float is a local desktop application. Key security considerations:

• Context Isolation: Renderer process runs with contextIsolation: true and nodeIntegration: false. All Node.js access goes through the preload.js context bridge.
• Content Security Policy: The HTML loads with a strict CSP header that restricts scripts to 'self', styles to 'self' 'unsafe-inline', and media to blob: 'self'.
• File Access: Files are read through IPC handlers in the main process. The renderer cannot access the filesystem directly.
• File Size Limit: Files larger than 10MB are rejected to prevent memory exhaustion.
• External API Calls: The LLM rewrite feature sends document text to api.z.ai over HTTPS. If you work with sensitive documents, disable TTS or run without network access.
• No Remote Content: The app loads no remote scripts, stylesheets, or fonts. All rendering is local.

The ZAI_API_KEY is used for the optional LLM speech rewrite feature. Override the default by setting the ZAI_API_KEY environment variable. Do not commit API keys to public repositories.

If you find a security issue, please report it privately:

1. Open a GitHub Security Advisory
2. Or email the maintainer directly

Do not open a public issue for security vulnerabilities. You should receive a response within 48 hours.