Security

Public disclosure

Public pages describe what the runtime does and what is not yet claimed. Detailed package maps, source identifiers, manifest counts, internal memory files, and candidate hashes belong in private project documentation or in a public repository only after a release decision.

Hosting checks

• Force HTTPS and redirect HTTP to HTTPS after TLS is stable.
• Check for 502 errors from PHP-FPM, reverse proxy, or origin-server configuration.
• Add security headers at the server layer, not only in the theme.
• Keep WordPress core, plugins, and PHP current.

Privacy

The theme does not include measurement scripts or tracking pixels, external fonts, CDN scripts, or third-party JavaScript. If site measurement, forms, cookies, or demos are added later, the privacy page should be updated before launch.