Pantheon has undergone a comprehensive security audit across all four repositories — server, client, website, and Discord bot.
Server-side: 5 development fallback credentials rotated to environment variables, PayPal HTTP client logging fixed (was leaking Bearer tokens), privilege escalation command re-gated to TRUE_DEVELOPER, sensitive files (worlds.yml, private.key) untracked from git, and packet rate limiting implemented with 12 action categories and escalating responses.
Client-side: developer mode disabled by default, placeholder tokens cleared, session token logging removed, and RSA key management documented.
Website and bot: environment variables for all secrets, rate limiting on API routes, input validation on all user-facing endpoints, security headers (HSTS, X-Frame-Options, CSP), and error handling on all Discord API calls.
The anti-cheat system (NRAntiCheatEngine) uses CS2-based bot launcher detection with a sanction queue. All admin commands are properly privilege-gated.