From a2351c96f6871dc8f64905de6d318345acd410fb Mon Sep 17 00:00:00 2001
From: yiekheng <yiekheng@04080616.xyz>
Date: Sat, 2 May 2026 16:23:17 +0800
Subject: [PATCH] docs(agents): note CM_DEBUG default and intent

---
 AGENTS.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/AGENTS.md b/AGENTS.md
index 46f212d..a2a0061 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -100,5 +100,6 @@
 
 ## Security & Configuration Tips
 - Never commit real secrets in `.env`.
+- `CM_DEBUG` defaults to `false` for both Flask services. Set it to `true` only in local development; rex/siong production env files must leave it unset (the Werkzeug debugger is RCE if reachable).
 - `app/cm_bot_hal.py` currently contains hardcoded agent credentials/pin; move these to env vars before production use.
 - Keep container clocks mounted (`/etc/timezone`, `/etc/localtime`) as compose currently defines to avoid schedule drift.