fix(security): lock down inbound DMs by default

2026-01-06 17:51:38 +01:00
parent 327ad3c9c7
commit 967cef80bc
36 changed files with 2093 additions and 203 deletions
--- a/docs/security.md
+++ b/docs/security.md
@@ -49,6 +49,7 @@ This is social engineering 101. Create distrust, encourage snooping.
 ```

 Only allow specific phone numbers to trigger your AI. Never use `["*"]` in production.
+Newer versions default to **DM pairing** (`*.dmPolicy="pairing"`) on most providers; avoid `dmPolicy="open"` unless you explicitly want public inbound access.

 ### 2. Group Chat Mentions