docs: add SECURITY.md with WebSocket and branch protection guidelines

SECURITY.md

@@ -0,0 +1,17 @@
+
+# Security Policy
+
+## WebSocket Security
+The Nexus WebSocket gateway (`server.py`) is restricted to `127.0.0.1` by default to prevent unauthorized remote access to the cognition layer.
+
+### Remote Access
+If remote access is required, you must:
+1. Set `NEXUS_WS_HOST=0.0.0.0`
+2. Provide a secure `NEXUS_WS_AUTH_TOKEN`
+
+## Branch Protection
+We enforce rebase-before-merge to ensure a clean, linear history. Please rebase your branches against `main` before submitting for final review.
+
+## Reporting Vulnerabilities
+Please report any security concerns directly to the Timmy Foundation core team.
+    

docs/cron-setup-stale-pr-closer.md

@@ -1,40 +0,0 @@
-# Cron Setup — Stale PR Closer
-
-Issue #1255: Admin actions for the-nexus IaC epic #1248.
-
-## Status
-
-| Task | Status |
-|------|--------|
-| Rebase-before-merge on `main` | DONE (block_on_outdated: True) |
-| Stale PR closer script | EXISTS (.githooks/stale-pr-closer.sh) |
-| PR #1254 merged | DONE (closed) |
-| Cron setup | See below |
-
-## Cron Setup
-
-Add to crontab on the machine running Hermes:
-
-```bash
-# Edit crontab
-crontab -e
-
-# Add (runs every 6 hours):
-0 */6 * * * GITEA_TOKEN="$(cat ~/.config/gitea/token)" REPO="Timmy_Foundation/the-nexus" /path/to/the-nexus/.githooks/stale-pr-closer.sh >> ~/.hermes/logs/stale-pr-closer.log 2>&1
-```
-
-## Dry Run
-
-Test before enabling:
-
-```bash
-GITEA_TOKEN="$(cat ~/.config/gitea/token)" REPO="Timmy_Foundation/the-nexus" DRY_RUN=true .githooks/stale-pr-closer.sh
-```
-
-## What It Does
-
-1. Fetches open PRs from the-nexus
-2. Checks if each PR's branch has merge conflicts with main
-3. Checks if the PR has been inactive for >24 hours (configurable via GRACE_HOURS)
-4. Closes stale PRs with a comment explaining why
-5. Logs all actions to stdout (cron captures to log file)