Security: Comprehensive hardening of README.md documentation

[Copilot]

README.md contained security-sensitive examples and insufficient security guidance for a self-hosted AI assistant handling API credentials and messaging channels.

Changes

Critical Security Warnings Added

• Upfront security notice linking to SECURITY.md before installation
• Node.js ≥22.12.0 requirement with CVE references (CVE-2025-59466, CVE-2026-21636)
• Gateway binding warning: bind: loopback only, never all in production

Credentials & Examples Hardened

• Phone numbers: +1234567890 → +15555550100 (clearly fictional)
• API tokens: partial patterns like sk-ant-api03-... → fully masked sk-ant-api03-XXXXXXXX...
• All bot token examples now include inline warnings about environment variables

File Permissions Guidance

chmod 700 ~/.clawdbot/credentials
chmod 600 ~/.clawdbot/credentials/*
chmod 600 ~/.clawdbot/config/.moltbot.yaml
chmod 600 .env

.env Security Block
Added 5-point security checklist:

• Never commit to version control
• Never share real tokens
• File permissions (chmod 600)
• Credential rotation
• Use .env.example as template

New Security Section
Comprehensive best practices across 6 categories:

1. Credential management
2. Gateway configuration
3. Filesystem permissions
4. Access control & allowlists
5. Docker hardening
6. Audit & monitoring (including moltbot security audit --deep)

Documentation Structure

• Added "Seguridad" to table of contents
• Cross-linked SECURITY.md and security docs throughout

Impact

84 lines added, 14 modified. README now serves as both setup guide and security reference, with actionable commands at decision points.

Original prompt

On README.md, realiza una revision exaustiva de seguridad

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.