Rehearsal is an open-source static web app with no backend and no user accounts. It serves an HTML/JS page and reads scenario JSON from the same repository. There is no server-side state and no data store.
The optional Live AI mode asks for your own OpenAI API key. That key is held only in the browser tab's memory, is sent only to api.openai.com, and is never stored (no cookies, no localStorage), logged, or transmitted anywhere else. Closing or reloading the tab discards it. Do not paste a key into any deployment you do not trust.
- It does not authenticate users (there are none).
- It does not store personal or health information.
- It does not make clinical, legal, or operational decisions.
- It contains no information about creating, enhancing, acquiring, or characterizing biological agents — by design, it operates only at the decision/policy level.
Please open a private security advisory at https://github.com/acuestamd/rehearsal/security/advisories/new. Examples worth reporting: content injection into the rendered page via a crafted scenario file, or any way the page could exfiltrate a pasted API key. Please do not post exploit details in a public issue.