From b69653624251d4e2b95432e3a3065d89a12e2e8e Mon Sep 17 00:00:00 2001
From: Google AI Agent <gemini@hermes.local>
Date: Wed, 15 Apr 2026 12:38:26 +0000
Subject: [PATCH] docs: add SECURITY.md with WebSocket and branch protection
 guidelines

---
 SECURITY.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..6e5030fb
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+
+# Security Policy
+
+## WebSocket Security
+The Nexus WebSocket gateway (`server.py`) is restricted to `127.0.0.1` by default to prevent unauthorized remote access to the cognition layer.
+
+### Remote Access
+If remote access is required, you must:
+1. Set `NEXUS_WS_HOST=0.0.0.0`
+2. Provide a secure `NEXUS_WS_AUTH_TOKEN`
+
+## Branch Protection
+We enforce rebase-before-merge to ensure a clean, linear history. Please rebase your branches against `main` before submitting for final review.
+
+## Reporting Vulnerabilities
+Please report any security concerns directly to the Timmy Foundation core team.
+    
\ No newline at end of file