i’m glad you’re taking it as intended, i was worried about my tone…
a version that could be used in a restricted setting would
be offline-first (or online-optional, even)
install and work with minimal privileges (no curl|sudo bash)
have few to zero external dependencies that need vetting (to get past IT)
send and store very minimal amounts of data off-device (especially important for PII like user accounts)
use only audited and proven crypto and auth (because nobody should be rolling their own there)
allow bring-your-own-database setups for the server (because some places run the same DB software for everything)
play well with other tools on a posix system, e.g. make sure data files are structured text rather than binary (for future-proofing)
if running in a browser-based environment, preferably work without scripts enabled (to eliminate XSS risks)
if running in a native environment, be open and reproducible (so builds can be verified)
keep to itself; e.g. make sure to keep stuff in its own namespace and not spread files around (for the server this is usually accomplished by containerization but not everyone allows running stuff like docker)
i’m glad you’re taking it as intended, i was worried about my tone…
a version that could be used in a restricted setting would