v2.0.0 — Buddy Security Hardening + Production Architecture

What's New in v2.0.0

This release brings all the security hardening and production architecture learnings from the Buddy agent — the Cloudflare-based production deployment that's been live since February 2026.

🔒 Security Fixes

• CORS hardening — No more wildcard * origins. Configure allowed domains via ALLOWED_ORIGINS env var
• Rate limiting — Built-in IP-based rate limiter (30 req/min, configurable)
• Error sanitization — Server returns generic errors; full details logged internally
• Input validation — GAQL injection prevention via period whitelisting
• Write safety — CEP Protocol (Confirm → Execute → Post-check) for all mutations

📦 Now a Pip Package

pip install google-ads-agent

Or install with extras:

pip install "google-ads-agent[all]"   # server + creative + cli
pip install "google-ads-agent[server]" # FastAPI server only

📄 New Documentation

• LICENSE — MIT license (previously missing)
• SECURITY.md — Vulnerability reporting + security best practices
• CONTRIBUTING.md — How to contribute, priority areas, code style
• CHANGELOG.md — Version history
• .env.example — Complete credential template
• docs/BUDDY_ARCHITECTURE.md — Full Cloudflare production architecture reference

🏗️ Buddy Architecture Reference

The new docs/BUDDY_ARCHITECTURE.md documents the production Cloudflare system:

• Durable Objects for per-user state
• Semantic memory via Vectorize embeddings
• Encrypted API key storage (AES-256-GCM)
• Automated monitoring (health checks, anomaly detection)
• Credit-based billing with Stripe
• Multi-provider AI (Claude, GPT, Gemini)

This serves as a blueprint for contributors building these features in Python.

⬆️ Upgrade Guide

No breaking changes from v1.0. Just pull the latest and set your ALLOWED_ORIGINS env var if deploying the server.

---

Full Changelog: b9a22c1...v2.0.0