Security

Use OAuth 2.0 / OpenID Connect with PKCE for all public clients. The Implicit flow is

Identify the privacy regimes that apply and confirm a lawful basis before collecting any personal data.

Collect only what is needed. Prefer on-device processing.

Map personal-data flows, minimize collection, default to the most private setting, and run a DPIA before building high-risk processing.

Model trust boundaries and ask the four Manifesto questions before building so point security controls trace to a why.