Initial security hardening and notice

[Karen86Tonoyan]

You are working on the GitHub repository Karen86Tonoyan/ruflo.

Goal:
Improve security posture and trustworthiness of the repository, with primary focus on supply-chain risk reduction and safer installation flow.

Operating mode:
Work in two stages.

Stage 1:
Create a minimal, reviewable hardening patch suitable for a clean PR.
Do not redesign the project.
Do not add unrelated features.
Do not introduce breaking changes unless absolutely necessary.
Prefer small, precise edits.

Stage 2:
After Stage 1 is complete, propose optional improvements separately.
Keep optional improvements out of the first PR unless they are extremely low risk.

Security priorities:

1. Find mutable install/runtime references such as:
   • @latest
   • @Alpha
   • unpinned npx usage
   • mutable installer references to main/master
2. Find risky onboarding paths such as:
   • curl | bash
   • remote script execution without review/integrity guidance
3. Find install-time side effects such as:
   • automatic global npm installs
   • writes to user-level config like ~/.claude/settings.json
   • auto-configured MCP entries
4. Find packaged local/config artifacts that should not be distributed if present.

Rules:

• Do not invent dependency versions.
• If a safe exact version is known from the repo/package context, pin it.
• If the exact safe version is uncertain, do not fake-pin it; instead add a warning or safer wording.
• Preserve current behavior where possible.
• Prefer safer defaults and better documentation over aggressive code changes.
• Keep changes maintainable and PR-friendly.

Priority files to inspect:

• README.md
• scripts/install.sh
• .claude-plugin/scripts/install.sh
• package.json files
• .npmignore
• any .claude/settings.json
• any MCP-related config
• any install/update scripts

Stage 1 tasks:

1. Audit install flow and document exact findings.
2. Reduce supply-chain risk in docs and scripts.
3. Add SECURITY.md.
4. Add a short security notice in README.
5. Replace risky examples with safer ones where possible.
6. Reduce reliance on curl | bash as the primary recommended path.
7. Prefer “download, review, then run” wording for shell installer examples.
8. Add warnings around global installs and user-level config writes.
9. Avoid automatic writes to ~/.claude/settings.json where feasible; prefer printed manual instructions.
10. Keep the patch minimal and easy to review.

Expected Stage 1 deliverables:

• a clean branch
• minimal commits
• summary of findings
• exact files changed
• draft PR title
• draft PR description

Suggested PR title:
security: harden installer and README against supply-chain risks

Suggested PR description:
This PR improves the security posture of the installation flow by reducing supply-chain and persistence risks. It focuses on safer defaults, clearer documentation, reduced reliance on mutable install paths, and better guidance around global installs and user-level configuration changes. No malware or hidden contributor instructions were identified; these changes are security hardening improvements.

Output format:

1. Findings summary
2. Proposed Stage 1 changes
3. Exact diffs or files changed
4. Risks/tradeoffs
5. Draft PR title
6. Draft PR description
7. Optional Stage 2 improvements

Important:
Do not over-engineer. The first goal is a credible, minimal, reviewable security hardening PR.

[Copilot]

Pull request overview

Adds an initial security-hardening notice document intended to describe supply-chain/persistence risks in the current install flow and set expectations for safer installation/configuration guidance.

Changes:

• Added a new markdown document summarizing the security hardening intent and key risk areas
• Documented (at a high level) mutable dependency and remote-script execution concerns

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

For clarity and to avoid markdown rendering ambiguities, format command/pattern tokens as inline code (e.g., @latest, curl | bash). This also makes it easier for readers to visually identify risky patterns.

Suggested change

	- mutable dependencies (e.g. @latest)
	- remote script execution (curl | bash)
	- mutable dependencies (e.g. `@latest`)
	- remote script execution (`curl | bash`)

[Karen86Tonoyan]

bezpieczeństwo: wstępne wzmocnienie + powiadomienie o bezpieczeństwie

Ten PR wprowadza początkowy dokument bezpieczeństwa (SECURITY.md), którego celem jest zidentyfikowanie i udokumentowanie ryzyk związanych z obecnym procesem instalacji oraz przygotowanie gruntu pod dalsze utwardzanie repozytorium.

Zakres:

• dodanie dokumentu SECURITY.md

• wskazanie kluczowych obszarów ryzyka (łańcuch dostaw, instalacja, konfiguracja użytkownika)

• opis wzorców potencjalnie niebezpiecznych:

  • zmienne zależności (np. @latest)
  • zdalne wykonywanie skryptów (np. curl | bash)

• określenie kierunku bezpieczniejszych praktyk instalacyjnych

Cel:
PR ma charakter minimalny i informacyjny (etap 1). Nie wprowadza zmian w runtime ani w procesie instalacji, aby zachować pełną kompatybilność i łatwość weryfikacji.

Uwagi:

• aktualizacja README oraz zmiany w ścieżkach instalacji zostaną wprowadzone w osobnym PR (etap 2)
• brak identyfikacji złośliwego kodu — zmiany mają charakter prewencyjny i wzmacniający bezpieczeństwo

Kolejne kroki (poza tym PR):

• aktualizacja README (bezpieczniejsze instrukcje instalacji)
• ograniczenie użycia curl | bash jako domyślnej ścieżki
• lepsze prowadzenie użytkownika przez instalację (review-before-run)

[Karen86Tonoyan]

@copilot open a new pull request to apply changes based on the comments in this thread

security: initial hardening + security notice

This PR introduces an initial SECURITY.md document to improve transparency around installation risks and prepare the repository for further security hardening.

Scope

• adds SECURITY.md

• documents key risk areas:

  • supply chain risks
  • installation and execution risks
  • user-level configuration side effects

• highlights potentially unsafe patterns:

  • variable dependencies (e.g. @latest)
  • remote script execution (e.g. curl | bash)

• establishes direction for safer installation practices

Goal

This PR is intentionally minimal and informational (stage 1).
It does not introduce runtime or behavioral changes to avoid breaking existing workflows.

Notes

• README updates and installation flow hardening will be handled in a follow-up PR (stage 2)
• no malicious code was identified; changes are preventive and focused on improving security posture

Next steps (outside this PR)

• update README with safer installation instructions
• reduce reliance on curl | bash
• introduce “download → review → execute” guidance