# Security Checklist

- **Capabilities**: Inspector requires `manage_options` (filterable via `devsniper_required_cap`); admin search limited to users who can `edit_posts`.
- **Nonces**: All AJAX endpoints verify the shared `devsniper_nonce` plus capability checks before changing data.
- **Sanitization & Escaping**: Inputs sanitized with `sanitize_text_field` / `esc_url_raw`; outputs escaped for HTML/URLs.
- **External Requests**: None. No telemetry, tracking, or remote assets. Everything is served locally.