From 456b530bd5f0a8893f522f11000b97dc3c088dd8 Mon Sep 17 00:00:00 2001
From: 86156 <donahuework@outlook.com>
Date: Sun, 15 Mar 2026 09:32:57 +0800
Subject: [PATCH] security: strengthen deployment guidance and sync lockfile

---
 README.md                |  5 +++++
 server/package-lock.json | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/README.md b/README.md
index 27f0213..58a8903 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,11 @@ https://github.com/ZetongDu/shadowthreads-demo-coding-workflow
 
 That demo shows AI coding workflow state, revision lineage, execution replay, and replay verification in one place.
 
+## Deployment model
+
+Shadow Threads is currently designed for trusted local or controlled self-hosted environments. The current server exposes workflow APIs intended for local development and controlled infrastructure, and it does not yet provide production-grade authentication, authorization, or hardened network defaults.
+
+Shadow Threads should not be exposed to the public Internet as-is. If deploying beyond localhost, operators must add authentication and authorization, restrict network access, tighten CORS policies, secure PostgreSQL and Redis, and manage secrets outside development defaults.
 ## Quickstart
 
 ### Prerequisites
diff --git a/server/package-lock.json b/server/package-lock.json
index 176efc8..adaa5ff 100644
--- a/server/package-lock.json
+++ b/server/package-lock.json
@@ -11,6 +11,7 @@
         "@anthropic-ai/sdk": "^0.30.0",
         "@google/generative-ai": "^0.21.0",
         "@prisma/client": "^5.22.0",
+        "adm-zip": "^0.5.16",
         "axios": "^1.13.2",
         "bcryptjs": "^2.4.3",
         "cors": "^2.8.5",
@@ -1306,6 +1307,15 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/adm-zip": {
+      "version": "0.5.16",
+      "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.5.16.tgz",
+      "integrity": "sha512-TGw5yVi4saajsSEgz25grObGHEUaDrniwvA2qwSC060KfqGPdglhvPMA2lPIoxs3PQIItj2iag35fONcQqgUaQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=12.0"
+      }
+    },
     "node_modules/agent-base": {
       "version": "7.1.4",
       "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.4.tgz",