SECURITY.md

Security

HuggingMes runs a full agent gateway with tool access. Treat the Space and its secrets like a server.

Required Hardening

• Set GATEWAY_TOKEN; /v1/* routes require Authorization: Bearer <GATEWAY_TOKEN>.
• Set TELEGRAM_ALLOWED_USERS to numeric Telegram user IDs.
• Keep your HF Dataset backup private.
• Do not enable SYNC_INCLUDE_ENV=true unless you intentionally want /opt/data/.env backed up.

Reporting

Open a private issue or contact the maintainer directly with reproduction steps and affected configuration.