From 482d96892805568eaf9af4a23b0eed2346730558 Mon Sep 17 00:00:00 2001
From: Test <test@example.com>
Date: Sun, 1 Mar 2026 23:44:06 -0500
Subject: [PATCH 1/5] docs: add security policy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 SECURITY.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..fa1a3ce
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Scope
+
+cc-manager is a **local development tool**. It is designed to run on a developer's machine or within a trusted internal network. It has no authentication and should **never** be exposed to the public internet.
+
+## Known Limitations
+
+| Area | Status | Mitigation |
+|------|--------|------------|
+| Authentication | None | Local use only; restrict via firewall or reverse proxy |
+| CORS | Open (all origins) | Restrict at reverse proxy level if needed |
+| Webhook SSRF | Partial — blocks private/loopback IPs | DNS rebinding not prevented; use trusted endpoints only |
+| Rate limiting | Static key (`"direct"`) | Does not trust `x-forwarded-for`; add `--trust-proxy` if behind proxy |
+
+## Reporting a Vulnerability
+
+If you discover a security issue, please report it privately:
+
+1. **Do NOT open a public issue.**
+2. Email the maintainers or use [GitHub Security Advisories](https://github.com/agent-next/cc-manager/security/advisories).
+3. Include steps to reproduce and potential impact.
+4. We will respond within 7 days.
+
+## Security Controls
+
+- **Webhook URL validation**: Blocks loopback, RFC 1918 private ranges, and link-local addresses.
+- **Rate limiting**: 30 requests/minute per client on task submission endpoints.
+- **Input validation**: Prompt length limits, timeout bounds, priority enum enforcement.
+- **Agent isolation**: Each agent runs in an isolated git worktree. `CLAUDECODE` and `CLAUDE_CODE_*` env vars are cleared to prevent Claude nesting.
+- **SQLite WAL mode**: Prevents database corruption under concurrent access.

From 05f200c9981fb8d093d8e5ec5195618d41182a4b Mon Sep 17 00:00:00 2001
From: Test <test@example.com>
Date: Sun, 1 Mar 2026 23:44:09 -0500
Subject: [PATCH 2/5] docs: add code of conduct

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CODE_OF_CONDUCT.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 CODE_OF_CONDUCT.md

diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..98da4a0
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,26 @@
+# Code of Conduct
+
+## Our Pledge
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+**Positive behavior includes:**
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+
+**Unacceptable behavior includes:**
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting the maintainers. All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1.

From bd4a1de108ab2050ae1d05b0cc88a70ce4c6c301 Mon Sep 17 00:00:00 2001
From: Test <test@example.com>
Date: Sun, 1 Mar 2026 23:44:13 -0500
Subject: [PATCH 3/5] chore: add .nvmrc for Node 20

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .nvmrc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .nvmrc

diff --git a/.nvmrc b/.nvmrc
new file mode 100644
index 0000000..209e3ef
--- /dev/null
+++ b/.nvmrc
@@ -0,0 +1 @@
+20

From 0fe6629349d1b92e0b8da6a20078169689528081 Mon Sep 17 00:00:00 2001
From: Test <test@example.com>
Date: Sun, 1 Mar 2026 23:44:16 -0500
Subject: [PATCH 4/5] fix: correct repository URL in package.json

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index eea524a..609f1cf 100644
--- a/package.json
+++ b/package.json
@@ -16,7 +16,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/anthropics/cc-manager"
+    "url": "https://github.com/agent-next/cc-manager"
   },
   "engines": {
     "node": ">=20"

From 8c897b46297f6de92a0b0481c055ac6f90f41660 Mon Sep 17 00:00:00 2001
From: Test <test@example.com>
Date: Sun, 1 Mar 2026 23:44:19 -0500
Subject: [PATCH 5/5] chore: add .env to .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 59ce626..c4a5d43 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,5 @@ dist/
 .cc-manager.db-wal
 .cc-manager.db-shm
 *.log
+.env
 .DS_Store