Skip to content

Security: millennium42/code-house

Security

docs/SECURITY.md

Security

Secrets

  • .env is ignored and must never be committed.
  • .env.example contains placeholders only.
  • API keys or secrets pasted in chat, screenshots or logs must be treated as compromised and rotated.
  • The validator scans for common leaked secret formats.

Generated Software

Agents must:

  • use environment variables for secrets;
  • hash passwords when auth is requested;
  • implement role checks for protected routes;
  • avoid hardcoded local absolute paths;
  • expose health checks without leaking secrets;
  • keep database credentials in Docker/env only;
  • include seed credentials only for demo and document them clearly.

Bridge Safety

  • The bridge requires x-tool-bridge-token.
  • File writes are restricted to SANDBOX_ROOT.
  • Path traversal is rejected.
  • Logs redact common secret fields and known secret values from environment variables.

Public GitHub Publishing

Before public publish:

  1. run node scripts/validate_repo.js;
  2. inspect .env is not staged;
  3. rotate any exposed credentials or keys;
  4. confirm generated software does not contain real customer data;
  5. publish only after release readiness approval.

There aren't any published security advisories