This repository is pre-1.0. Treat public deployments as beta until the release runbook is completed with a real production database, rotated secrets, and rate limits.

Please open a private security advisory or contact the maintainer privately. Do not publish working exploit details before a fix is available.

• Never commit .env, .runtime/, .omx/, output/, api/data/, logs, screenshots containing credentials, or real provider API keys.
• Provider credentials should be entered by users in the app and encrypted at rest by the API service.
• Do not put provider keys in NEXT_PUBLIC_* variables. Anything with that prefix is client-visible.
• For authorized reproduction, a server administrator can decrypt saved provider settings with the server ENCRYPTION_KEY:

cd api
uv run python ../scripts/export_provider_secrets.py --run-id run_xxx --show-secrets
# or:
uv run python ../scripts/export_provider_secrets.py --workspace-id ws_xxx --show-secrets

Treat that output as a live secret. Do not paste it into tickets, logs, chat, screenshots, or commits.

• Before publishing or pushing, run:

./scripts/security_scan.sh

If a real secret ever enters git history, rotate the secret immediately and rewrite history with git-filter-repo or BFG before making the repository public.

• APP_ENV=production
• unique SECRET_KEY
• unique Fernet-compatible ENCRYPTION_KEY
• managed Postgres instead of local SQLite
• exact production CORS_ORIGINS
• HTTPS-only public endpoints
• public beta rate limits and abuse monitoring

Agent Huddle is licensed under the PolyForm Noncommercial License 1.0.0. Noncommercial running, development, testing, modification, and distribution are permitted. Commercial use requires separate written permission from the rights holder.