A community safety platform designed to help communities document, report, and stay informed.
Built with privacy-first principles and local-first data storage.
- Emergency Mode - Quick access to rights information and emergency contacts
- Private Reporting - Document incidents locally with optional public sharing
- Live Activity Map - Community-sourced activity reports
- Know Your Rights - Swipeable cards with scripts to use
- Emergency SMS - One-tap alert to trusted contacts
- Community Hub - Events, donations, and resources
meltingice/
app/ # Next.js 15 frontend (App Router)
components/ # React components
hooks/ # React hooks
lib/ # Frontend utilities and API client
public/ # Static assets
backend/
api/ # PHP REST API
migrations/ # SQL migration files
vendor/ # PHP dependencies (Composer)
- Local-first storage: All personal data stays in your browser (IndexedDB)
- No tracking: No analytics, no cookies, no user accounts required
- Sanitization: Public reports are stripped of identifying information
- Your choice: You decide what (if anything) to share publicly
- Node.js 18+
- PHP 8.0+ with PDO MySQL
- MySQL/MariaDB database
- Composer (for PHP dependencies)
cd meltingice
npm install
npm run dev- Copy environment template:
cp backend/.env.example backend/.env-
Configure your database credentials in
backend/.env(never commit this file) -
Run migrations:
-- Run these in your database management tool
-- See backend/migrations/ for all SQL files- Install PHP dependencies:
cd backend
composer installBackend (server .env):
| Variable | Description |
|---|---|
DB_HOST |
Database host |
DB_NAME |
Database name |
DB_USER |
Database user |
DB_PASS |
Database password |
ADMIN_SECRET |
Secret key for admin API endpoints |
SMTP_PASSWORD |
Email SMTP token |
Frontend (.env.local in meltingice/):
| Variable | Description |
|---|---|
NEXT_PUBLIC_API_URL |
Base URL for the PHP API (e.g., https://your-domain.com/api) |
/adminis the admin UI. It requires login, but the route is still publicly reachable. In production, restrict access at the server (basic auth, IP allowlist, or a separate admin deployment).- Admin login:
POST /api/admin/login.phpreturns a bearer token stored in localStorage for moderation requests. - Community approval endpoints (
/api/admin/community/*) requireX-Admin-Key: $ADMIN_SECRET. Do not call these from the browser; keep them server-side or in internal tools. - phpMyAdmin should never be public. Lock it down with IP allowlist or password protection.
- All admin endpoints require authentication or
ADMIN_SECRET - No hardcoded credentials in the codebase
- SQL injection prevention via prepared statements
- XSS prevention via input sanitization
- Rate limiting recommended at server level
- Use HTTPS and limit CORS to your actual domains
We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
This project is licensed under the AGPL-3.0 License - see the LICENSE file for details.
This means:
- You can use, modify, and distribute this software
- You can run it for any purpose
- If you modify and host it publicly, you must share your changes
- Derivative works must also be AGPL-3.0
This software is provided for educational and community safety purposes. It is not legal advice. Always consult with qualified legal professionals for guidance on your specific situation.
Made with care for communities