This is an experimental activitypub implementation. It is being actively developed by @ansuz@social.cryptography.dog.
See Wikipedia for a definition of Jugaad.
Common security holes like admin accounts with default credentials are avoided. Passwords have a required length, but no required character sets or other practices that are known to encourage bad password hygeine. Follow requests require approval. Remote instances with open registration are assumed to be sources of spam or abuse, with most of their activity ignored unless you have explicitly followed them.
information is only shared with those who need access to it. For sensitive information this means approved followers only. Follower and following lists are hidden by default. No user listings, trending topics, or other curation.
Some other Fediverse implementions proactively fetch and store content from remote accounts that aren't even followed by any local users, just in case anyone wants it later. While this can sometimes reduce loading time for media, most media that is stored is never viewed. This behaviour also drastically increases disk, network, and CPU usage.
No big frameworks. No compilation step. Changes to serverside logic are applied at runtime. Core Node.JS APIs are preferred over the extensive dependency use that is common in modern JavaScript projects. Once the core ActivityPub implementation is working a plugin system will be implemented to provide custom behaviour.