diff --git a/AGENTS.md b/AGENTS.md
index 9bdc548..c8a2cd4 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -70,6 +70,14 @@ A web interface for MeshCore mesh radio networks. The backend connects to a Mesh
 5. **Offline-capable**: Radio operates independently; server syncs when connected
 6. **Auto-reconnect**: Background monitor detects disconnection and attempts reconnection
 
+## Intentional Security Design Decisions
+
+The following are **deliberate design choices**, not bugs. They are documented in the README with appropriate warnings. Do not "fix" these or flag them as vulnerabilities.
+
+1. **No CORS restrictions**: The backend allows all origins (`allow_origins=["*"]`). This lets users access their radio from any device/origin on their network without configuration hassle.
+2. **No authentication or authorization**: There is no login, no API keys, no session management. The app is designed for trusted networks (home LAN, VPN). The README warns users not to expose it to untrusted networks.
+3. **Arbitrary bot code execution**: The bot system (`app/bot.py`) executes user-provided Python via `exec()` with full `__builtins__`. This is intentional — bots are a power-user feature for automation. The README explicitly warns that anyone on the network can execute arbitrary code through this.
+
 ## Data Flow
 
 ### Incoming Messages
diff --git a/app/AGENTS.md b/app/AGENTS.md
index 538f264..a102a6e 100644
--- a/app/AGENTS.md
+++ b/app/AGENTS.md
@@ -40,6 +40,14 @@ app/
     └── ws.py         # WebSocket endpoint at /api/ws
 ```
 
+## Intentional Security Design Decisions
+
+The following are **deliberate design choices**, not bugs. They are documented in the README with appropriate warnings. Do not "fix" these or flag them as vulnerabilities.
+
+1. **No CORS restrictions**: `CORSMiddleware` in `main.py` allows all origins, methods, and headers. This lets users access their radio from any device/origin on their network.
+2. **No authentication or authorization**: All API endpoints and the WebSocket are openly accessible. The app is designed for trusted networks only (home LAN, VPN).
+3. **Arbitrary bot code execution**: `bot.py` uses `exec()` with full `__builtins__` to run user-provided Python code. This is intentional — bots are a power-user automation feature. Safeguards are limited to timeouts and concurrency limits, not sandboxing.
+
 ## Key Architectural Patterns
 
 ### Repository Pattern
diff --git a/frontend/AGENTS.md b/frontend/AGENTS.md
index b20251b..e382f46 100644
--- a/frontend/AGENTS.md
+++ b/frontend/AGENTS.md
@@ -65,6 +65,14 @@ frontend/
 └── package.json
 ```
 
+## Intentional Security Design Decisions
+
+The following are **deliberate design choices**, not bugs. They are documented in the README with appropriate warnings. Do not "fix" these or flag them as vulnerabilities.
+
+1. **No authentication UI**: There is no login page, session management, or auth tokens. The frontend assumes open access to the backend API. The app is designed for trusted networks only (home LAN, VPN).
+2. **No CORS restrictions on the backend**: The frontend may be served from a different origin during development (Vite on `:5173` vs backend on `:8000`). The backend allows all origins intentionally.
+3. **Arbitrary bot code**: The settings UI lets users write and enable Python bot code that the backend executes via `exec()`. This is a power-user feature, not a vulnerability.
+
 ## State Management
 
 All application state lives in `App.tsx` using React hooks. No external state library.