mirror of
https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git
synced 2026-06-18 07:19:35 +00:00
84762f08ab
Phase 1 - Repo Hardening: - README.md, LICENSE, SECURITY.md, CONTRIBUTING.md - GitHub Actions repo-hygiene workflow - docs/: ARCHITECTURE, DATA-MODEL, API-MAP, AGENT-MAP, DEPLOYMENT-NOTES Phase 2 - Database Models (7 new): - Company, Contact, Call, Commission, Payout, Dispute, GuaranteeClaim - Consent, Complaint, Policy, KnowledgeArticle, SectorAsset - Updated models/__init__.py with all 32+ models Phase 3 - API Surfaces (16 new route files): - companies, contacts, calls, meetings, commissions, payouts - disputes, guarantees, consents, complaints, knowledge - sectors, presentations, supervisor, admin, health - Updated router.py with all 24 route groups Phase 4 - AI Prompt Registry (18 agent contracts): - Lead Qualification, Affiliate Recruitment Evaluator, Onboarding Coach - Outreach Writer, Arabic WhatsApp, English Conversation, Voice Call - Meeting Booking, Sector Strategist, Objection Handler - Proposal Drafter, QA Reviewer, Compliance Reviewer - Knowledge Retrieval, Revenue Attribution, Fraud Reviewer - Guarantee Claim Reviewer, Management Summary Phase 5 - Communication Templates: - 15 production templates (WhatsApp, email, voice, internal) - Arabic + English variants with variable interpolation Phase 6 - Compliance Center (7 legal docs): - Privacy policy, Terms of service, Refund policy - Commission policy, Affiliate rules, Consent policy, Data protection - All PDPL-compliant, Arabic Phase 7 - Celery Workers (fully implemented): - follow_up_tasks: automated lead follow-ups with workflow execution - message_tasks: WhatsApp/email/SMS with retry logic - notification_tasks: daily reports, meeting reminders, in-app notifications - affiliate_tasks: target checking, commission calculation, weekly reports, AI outreach Phase 8 - Knowledge Base OS (8 files): - Services overview, Pricing policy, Channel policy, Meeting policy - Identity rules, Escalation rules, Hiring path, Internal SOPs https://claude.ai/code/session_01KnJgK7RwyeCvRZTRThHtfU
38 lines
1.4 KiB
Markdown
38 lines
1.4 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Do not open a public issue.** Report vulnerabilities privately:
|
|
|
|
1. Email the maintainer directly, or
|
|
2. Use GitHub's private vulnerability reporting on this repository.
|
|
|
|
Include: description, reproduction steps, affected component, and severity estimate.
|
|
|
|
You will receive an acknowledgment within 48 hours and a resolution timeline within 7 days.
|
|
|
|
## Scope
|
|
|
|
The following categories are in scope for security reports:
|
|
|
|
| Category | Examples |
|
|
|----------|---------|
|
|
| **Authentication Bypass** | Token forgery, session hijacking, OAuth flaws |
|
|
| **Exposed Secrets** | Credentials, API keys, or tokens in code/logs/responses |
|
|
| **Remote Code Execution** | Injection via API inputs, template rendering, task queue |
|
|
| **Privilege Escalation** | Tenant cross-access, role bypass, admin impersonation |
|
|
| **Data Exposure** | PII leaks, unscoped queries, verbose error responses |
|
|
| **Commission Abuse** | Fraudulent affiliate attribution, payout manipulation |
|
|
| **Infrastructure Misconfiguration** | Open ports, default credentials, permissive CORS, debug mode in production |
|
|
|
|
## Out of Scope
|
|
|
|
- Denial of service via volumetric flooding
|
|
- Social engineering of team members
|
|
- Vulnerabilities in third-party services we do not control
|
|
- Reports without actionable reproduction steps
|
|
|
|
## Disclosure
|
|
|
|
We follow coordinated disclosure. We will credit reporters (with permission) once a fix is deployed.
|