Summary
The default branch does not publish AgentHub's security risk register, even though several current issues and roadmap-style governance work refer to risk-register IDs and security triage state.
Evidence
origin/master does not contain docs/security-risk-register.md.origin/master only contains .github/ISSUE_TEMPLATE/task.md; there is no security/governance issue template that captures risk-register IDs, affected surface, evidence, privacy boundary, and acceptance criteria.- Existing AgentHub issues already reference risk-register style identifiers and security gates, so the triage model exists but is not discoverable from the default branch.
Impact
Maintainers and agents cannot inspect the current security queue from the repository itself. New findings are forced into ad-hoc GitHub issue bodies, which makes it easier for duplicates, stale risk state, or inconsistent acceptance criteria to appear across Hub, Edge, Desktop/Web, and adapter surfaces.
This is a governance/documentation gap, not a claim of a new runtime vulnerability.
Suggested fix
- Add
docs/security-risk-register.md to the default branch with the active AgentHub risks, statuses, owners, and GitHub issue links.
- Add or extend an issue template for security/governance findings, including: affected surface, repo-relative evidence, impact, privacy/sanitization check, acceptance criteria, and risk-register ID.
- Link the risk register from README or the developer/agent guide so future agents find it before opening duplicate issues.
- Keep the register free of secrets, local paths, deployment inventory, logs, or operator-only runbook material.
Acceptance criteria
Privacy
This issue references only repo-relative paths and generic governance expectations. It does not include deployment hosts, local paths, credentials, logs, or operator-only details.
Summary
The default branch does not publish AgentHub's security risk register, even though several current issues and roadmap-style governance work refer to risk-register IDs and security triage state.
Evidence
origin/masterdoes not containdocs/security-risk-register.md.origin/masteronly contains.github/ISSUE_TEMPLATE/task.md; there is no security/governance issue template that captures risk-register IDs, affected surface, evidence, privacy boundary, and acceptance criteria.Impact
Maintainers and agents cannot inspect the current security queue from the repository itself. New findings are forced into ad-hoc GitHub issue bodies, which makes it easier for duplicates, stale risk state, or inconsistent acceptance criteria to appear across Hub, Edge, Desktop/Web, and adapter surfaces.
This is a governance/documentation gap, not a claim of a new runtime vulnerability.
Suggested fix
docs/security-risk-register.mdto the default branch with the active AgentHub risks, statuses, owners, and GitHub issue links.Acceptance criteria
docs/security-risk-register.mdexists on the default branch.Privacy
This issue references only repo-relative paths and generic governance expectations. It does not include deployment hosts, local paths, credentials, logs, or operator-only details.