Version: v1.0.1
Status: Stable Production Release
Architecture: Fully Client-Side, CDN-Powered

SoundScript is a fully client-side, CDN-powered music streaming application.
It contains no backend servers, no authentication layers, and no remote code execution paths.

All logic executes in the browser, and all media is served via a static CDN.
Because of this architecture, SoundScript is inherently resistant to server-side attack vectors.

No personal information, credentials, or user identifiers are collected.

SoundScript uses a read‑only static CDN (soundscript‑cdn) for:

• MP3 audio files
• Album artwork
• Artist images
• Metadata JSON

CDN assets:

• Contain no executable scripts
• Are immutable between versions
• Cannot modify application behavior

• No cookies are used
• No session tokens are generated
• No background network polling
• No WebSocket connections
• No dynamic remote script injection

This eliminates risks of:

• XSS via remote payloads
• CSRF
• Session hijacking
• Account data leakage

• LocalStorage data is not encrypted — though it contains only non-sensitive playback stats.
• CDN content is public — anyone with the CDN URL can access media files.
• No HTTPS enforcement — though strongly recommended for production use.
• Browser extensions could potentially interfere with or observe playback state.

If you discover a security issue:

• Open a GitHub Issue labeled security
• Or contact the maintainer directly

Please include:

• Description of the issue
• Steps to reproduce
• Browser & device information

All valid security reports will be reviewed promptly.

Planned future upgrades may introduce:

• Authentication
• User profiles
• Backend APIs

If that happens, a new security policy will be issued with:

• Auth hardening
• API rate limiting
• Token handling rules

SoundScript v1.0.1 is a closed‑surface static client architecture —
meaning its attack surface is intentionally minimal.

Your data stays on your device.
Your music stays on the CDN.
No trackers. No accounts. No exposure.