Operational safety

Security

Zuzupui separates public website assets from private bot and dashboard operations.

Public Website

The static website can be hosted on S3 behind CloudFront. It contains public pages only and does not need bot tokens, dashboard tokens, database files, or server credentials.

Dashboard

The dashboard should run on the bot server or a trusted EC2 instance. It reads the same database as the bot and requires a long random DASHBOARD_TOKEN. Do not store that token in this website folder.

Server Isolation

Economy data, stocks, shop items, inventory, custom responders, command settings, and pets are scoped per Discord server.

Recommended Hosting Controls

  • Serve the static website through CloudFront with HTTPS.
  • Keep the S3 bucket private and use CloudFront Origin Access Control.
  • Run the dashboard behind HTTPS on dashboard.zuzupui.xyz.
  • Keep EC2 security groups limited to required ports.
  • Never expose DISCORD_TOKEN, DASHBOARD_TOKEN, database files, or backups.

Permissions

Grant only the permissions required for enabled features. Manage Roles should be used only when role items or role automation are needed.

User Controls

Users can review, export, and delete server-scoped bot data with the privacy commands documented in the Privacy Policy.