docs(agents): note CM_DEBUG default and intent

2026-05-02 16:23:17 +08:00 · 2026-05-02 16:23:17 +08:00 · a2351c96f6
commit a2351c96f6
parent 72ec2177db
1 changed files with 1 additions and 0 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -100,5 +100,6 @@

 ## Security & Configuration Tips
 - Never commit real secrets in `.env`.
+- `CM_DEBUG` defaults to `false` for both Flask services. Set it to `true` only in local development; rex/siong production env files must leave it unset (the Werkzeug debugger is RCE if reachable).
 - `app/cm_bot_hal.py` currently contains hardcoded agent credentials/pin; move these to env vars before production use.
 - Keep container clocks mounted (`/etc/timezone`, `/etc/localtime`) as compose currently defines to avoid schedule drift.