docs: add top-level Security Policy page across all languages

Create a dedicated Security Policy page (docs/{en,pt-BR,ko,ar}/security.mdx) with vulnerability reporting instructions pointing to the Bugcrowd VDP (crewai-vdp-ess@submit.bugcrowd.com), consistent with the updated security policy from PR #5096. The page is added to the Documentation tab navigation (after Telemetry) across all versions and languages in docs.json. This is a top-level security page, not buried inside MCP docs.
2026-03-30 15:48:15 +00:00 · 2026-03-26 17:55:27 +00:00
25 changed files with 975 additions and 1258 deletions
--- a/.github/workflows/docs-broken-links.yml
+++ b/.github/workflows/docs-broken-links.yml
@@ -23,7 +23,7 @@ jobs:
      - name: Set up Node
        uses: actions/setup-node@v4
        with:
-          node-version: "22"
+          node-version: "latest"

      - name: Install Mintlify CLI
        run: npm i -g mintlify
--- a/docs/ar/changelog.mdx
+++ b/docs/ar/changelog.mdx
@@ -4,63 +4,6 @@ description: "تحديثات المنتج والتحسينات وإصلاحات
 icon: "clock"
 mode: "wide"
 ---
-<Update label="27 مارس 2026">
-  ## v1.13.0rc1
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## ما الذي تغير
-
-  ### الوثائق
-  - تحديث سجل التغييرات والإصدار لـ v1.13.0a2
-
-  ## المساهمون
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 مارس 2026">
-  ## v1.13.0a2
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## ما الذي تغير
-
-  ### الميزات
-  - تحديث تلقائي لمستودع اختبار النشر أثناء الإصدار
-  - تحسين مرونة إصدار المؤسسات وتجربة المستخدم
-
-  ### الوثائق
-  - تحديث سجل التغييرات والإصدار للإصدار v1.13.0a1
-
-  ## المساهمون
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 مارس 2026">
-  ## v1.13.0a1
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## ما الذي تغير
-
-  ### إصلاحات الأخطاء
-  - إصلاح الروابط المعطلة في سير العمل الوثائقي عن طريق تثبيت Node على LTS 22
-  - مسح ذاكرة التخزين المؤقت لـ uv للحزم المنشورة حديثًا في الإصدار المؤسسي
-
-  ### الوثائق
-  - إضافة مصفوفة شاملة لأذونات RBAC ودليل النشر
-  - تحديث سجل التغييرات والإصدار للإصدار v1.12.2
-
-  ## المساهمون
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="25 مارس 2026">
  ## v1.12.2

--- a/docs/ar/mcp/security.mdx
+++ b/docs/ar/mcp/security.mdx
@@ -139,7 +139,19 @@ mode: "wide"
 - **الالتزام بمواصفات ترخيص MCP**: إذا كنت تنفذ المصادقة والترخيص، اتبع بدقة [مواصفات ترخيص MCP](https://modelcontextprotocol.io/specification/draft/basic/authorization).
 - **تدقيقات أمنية منتظمة**: إذا كان خادم MCP يتعامل مع بيانات حساسة، فكر في إجراء تدقيقات أمنية دورية.

-## 5. قراءة إضافية
+## 5. الإبلاغ عن الثغرات الأمنية
+
+إذا اكتشفت ثغرة أمنية في CrewAI، يرجى الإبلاغ عنها بشكل مسؤول من خلال برنامج الكشف عن الثغرات (VDP) الخاص بنا على Bugcrowd:
+
+**أرسل التقارير إلى:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**لا تكشف** عن الثغرات عبر issues العامة على GitHub أو pull requests أو وسائل التواصل الاجتماعي. لن تتم مراجعة التقارير المقدمة عبر قنوات غير Bugcrowd.
+</Warning>
+
+لمزيد من التفاصيل، راجع [سياسة الأمان](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md) الخاصة بنا.
+
+## 6. قراءة إضافية

 لمزيد من المعلومات التفصيلية حول أمان MCP، راجع التوثيق الرسمي:
 - **[أمان نقل MCP](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/ar/security.mdx
+++ b/docs/ar/security.mdx
@@ -0,0 +1,22 @@
+---
+title: سياسة الأمان
+description: تعرف على كيفية الإبلاغ عن الثغرات الأمنية وممارسات الأمان في CrewAI.
+icon: shield
+mode: "wide"
+---
+
+## الإبلاغ عن الثغرات الأمنية
+
+إذا اكتشفت ثغرة أمنية في CrewAI، يرجى الإبلاغ عنها بشكل مسؤول من خلال برنامج الكشف عن الثغرات (VDP) الخاص بنا على Bugcrowd:
+
+**أرسل التقارير إلى:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**لا تكشف** عن الثغرات عبر issues العامة على GitHub أو pull requests أو وسائل التواصل الاجتماعي. لن تتم مراجعة التقارير المقدمة عبر قنوات غير Bugcrowd.
+</Warning>
+
+لمزيد من التفاصيل، راجع [سياسة الأمان على GitHub](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## موارد الأمان
+
+- **[اعتبارات أمان MCP](/mcp/security)** — أفضل الممارسات لدمج خوادم MCP بأمان مع وكلاء CrewAI، بما في ذلك أمان النقل ومخاطر حقن الأوامر ونصائح تنفيذ الخادم.
--- a/docs/docs.json
+++ b/docs/docs.json
--- a/docs/en/changelog.mdx
+++ b/docs/en/changelog.mdx
@@ -4,63 +4,6 @@ description: "Product updates, improvements, and bug fixes for CrewAI"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="Mar 27, 2026">
-  ## v1.13.0rc1
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## What's Changed
-
-  ### Documentation
-  - Update changelog and version for v1.13.0a2
-
-  ## Contributors
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="Mar 27, 2026">
-  ## v1.13.0a2
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## What's Changed
-
-  ### Features
-  - Auto-update deployment test repo during release
-  - Improve enterprise release resilience and UX
-
-  ### Documentation
-  - Update changelog and version for v1.13.0a1
-
-  ## Contributors
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="Mar 27, 2026">
-  ## v1.13.0a1
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## What's Changed
-
-  ### Bug Fixes
-  - Fix broken links in documentation workflow by pinning Node to LTS 22
-  - Bust the uv cache for freshly published packages in enterprise release
-
-  ### Documentation
-  - Add comprehensive RBAC permissions matrix and deployment guide
-  - Update changelog and version for v1.12.2
-
-  ## Contributors
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="Mar 25, 2026">
  ## v1.12.2

--- a/docs/en/enterprise/features/sso.mdx
+++ b/docs/en/enterprise/features/sso.mdx
@@ -1,194 +0,0 @@
---
-title: Single Sign-On (SSO)
-icon: "key"
-description: Configure enterprise SSO authentication for CrewAI Platform — SaaS and Factory
---
-
-## Overview
-
-CrewAI Platform supports enterprise Single Sign-On (SSO) across both **SaaS (AMP)** and **Factory (self-hosted)** deployments. SSO enables your team to authenticate using your organization's existing identity provider, enforcing centralized access control, MFA policies, and user lifecycle management.
-
-### Supported Providers
-
-| Provider | SaaS | Factory | Protocol |
-|---|---|---|---|
-| **WorkOS** | ✅ (default) | ✅ | OAuth 2.0 / OIDC |
-| **Microsoft Entra ID** (Azure AD) | ✅ (enterprise) | ✅ | OAuth 2.0 / SAML 2.0 |
-| **Okta** | ✅ (enterprise) | ✅ | OAuth 2.0 / OIDC |
-| **Auth0** | ✅ (enterprise) | ✅ | OAuth 2.0 / OIDC |
-| **Keycloak** | — | ✅ | OAuth 2.0 / OIDC |
-
-### Key Capabilities
-
- **SAML 2.0 and OAuth 2.0 / OIDC** protocol support
- **Device Authorization Grant** flow for CLI authentication
- **Role-Based Access Control (RBAC)** with custom roles and per-resource permissions
- **MFA enforcement** delegated to your identity provider
- **User provisioning** through IdP assignment (users/groups)
-
---
-
-## SaaS SSO
-
-### Default Authentication
-
-CrewAI's managed SaaS platform (AMP) uses **WorkOS** as the default authentication provider. When you sign up at [app.crewai.com](https://app.crewai.com), authentication is handled through `login.crewai.com` — no additional SSO configuration is required.
-
-### Enterprise Custom SSO
-
-Enterprise SaaS customers can configure SSO with their own identity provider (Entra ID, Okta, Auth0). Contact your CrewAI account team to enable custom SSO for your organization. Once configured:
-
-1. Your team members authenticate through your organization's IdP
-2. Access control and MFA policies are enforced by your IdP
-3. The CrewAI CLI automatically detects your SSO configuration via `crewai enterprise configure`
-
-### CLI Defaults (SaaS)
-
-| Setting | Default Value |
-|---|---|
-| `enterprise_base_url` | `https://app.crewai.com` |
-| `oauth2_provider` | `workos` |
-| `oauth2_domain` | `login.crewai.com` |
-
---
-
-## Factory SSO
-
-Factory (self-hosted) deployments support SSO with the following identity providers:
-
- **Microsoft Entra ID** (Azure AD)
- **Okta**
- **Keycloak**
- **Auth0**
- **WorkOS**
-
-Each provider requires registering an application in your IdP and configuring the corresponding environment variables in your Helm `values.yaml`.
-
-<Note>
-  Detailed setup guides for each provider — including step-by-step IdP registration, environment variable reference, and CLI enablement — are available in your **Factory admin documentation** (shipped with your Factory installation).
-</Note>
-
---
-
-## CLI Authentication
-
-The CrewAI CLI supports SSO authentication via the **Device Authorization Grant** flow. This allows developers to authenticate from their terminal without exposing credentials.
-
-### Quick Setup
-
-For Factory installations, the CLI can auto-configure all OAuth2 settings:
-
-```bash
-crewai enterprise configure https://your-factory-url.app
-```
-
-This command fetches the SSO configuration from your Factory instance and sets all required CLI parameters automatically.
-
-Then authenticate:
-
-```bash
-crewai login
-```
-
-<Note>
-  Requires CrewAI CLI version **1.6.0** or higher for Entra ID, **0.159.0** or higher for Okta, and **1.9.0** or higher for Keycloak.
-</Note>
-
-### Manual CLI Configuration
-
-If you need to configure the CLI manually, use `crewai config set`:
-
-```bash
-# Set the provider
-crewai config set oauth2_provider okta
-
-# Set provider-specific values
-crewai config set oauth2_domain your-domain.okta.com
-crewai config set oauth2_client_id your-client-id
-crewai config set oauth2_audience api://default
-
-# Set the enterprise base URL
-crewai config set enterprise_base_url https://your-factory-url.app
-```
-
-### CLI Configuration Reference
-
-| Setting | Description | Example |
-|---|---|---|
-| `enterprise_base_url` | Your CrewAI instance URL | `https://crewai.yourcompany.com` |
-| `oauth2_provider` | Provider name | `workos`, `okta`, `auth0`, `entra_id`, `keycloak` |
-| `oauth2_domain` | Provider domain | `your-domain.okta.com` |
-| `oauth2_client_id` | OAuth2 client ID | `0oaqnwji7pGW7VT6T697` |
-| `oauth2_audience` | API audience identifier | `api://default` |
-
-View current configuration:
-
-```bash
-crewai config list
-```
-
-### How Device Authorization Works
-
-1. Run `crewai login` — the CLI requests a device code from your IdP
-2. A verification URL and code are displayed in your terminal
-3. Your browser opens to the verification URL
-4. Enter the code and authenticate with your IdP credentials
-5. The CLI receives an access token and stores it locally
-
---
-
-## Role-Based Access Control (RBAC)
-
-CrewAI Platform provides granular RBAC that integrates with your SSO provider. Permissions can be scoped to individual resources including dashboards, automations, and environment variables.
-
- **Predefined roles** come out of the box with standard permission sets
- **Custom roles** can be created with any combination of Read, Write, and Manage permissions
- **Per-resource assignment** — limit specific automations to individual users or roles
-
-For detailed RBAC configuration, see the [RBAC documentation](/enterprise/features/rbac).
-
---
-
-## Troubleshooting
-
-### CLI Login Fails (Device Authorization)
-
-**Symptom:** `crewai login` returns an error or times out.
-
-**Fix:**
- Verify that Device Authorization Grant is enabled in your IdP
- Check that your CLI is configured correctly: `crewai config list`
- Ensure your CrewAI CLI version meets the minimum requirements for your provider
-
-### Token Validation Errors
-
-**Symptom:** `Invalid token: Signature verification failed` or `401 Unauthorized` after login.
-
-**Fix:**
- Verify that your OAuth2 audience and authorization server settings match your IdP configuration exactly
- For SaaS: contact your CrewAI account team if errors persist after verifying CLI settings
-
-### 403 Forbidden After Login
-
-**Symptom:** User authenticates successfully but gets 403 errors.
-
-**Fix:**
- Check that the user is assigned to the CrewAI application in your IdP
- Verify the user has the appropriate role assignment in your IdP
-
-### CLI Can't Reach CrewAI Instance
-
-**Symptom:** `crewai enterprise configure` fails to connect.
-
-**Fix:**
- Verify the instance URL is reachable from your machine
- Check that `enterprise_base_url` is set correctly: `crewai config list`
- Ensure TLS certificates are valid and trusted
-
---
-
-## Next Steps
-
- [Installation Guide](/installation) — Get started with CrewAI
- [Quickstart](/quickstart) — Build your first crew
- [RBAC Setup](/enterprise/features/rbac) — Detailed role and permission management
--- a/docs/en/mcp/security.mdx
+++ b/docs/en/mcp/security.mdx
@@ -156,7 +156,19 @@ If you are developing an MCP server that CrewAI agents might connect to, conside
 - **Adherence to MCP Authorization Spec**: If implementing authentication and authorization, strictly follow the [MCP Authorization specification](https://modelcontextprotocol.io/specification/draft/basic/authorization) and relevant [OAuth 2.0 security best practices](https://datatracker.ietf.org/doc/html/rfc9700).
 - **Regular Security Audits**: If your MCP server handles sensitive data, performs critical operations, or is publicly exposed, consider periodic security audits by qualified professionals.

-## 5. Further Reading
+## 5. Reporting Security Vulnerabilities
+
+If you discover a security vulnerability in CrewAI, please report it responsibly through our Bugcrowd Vulnerability Disclosure Program (VDP):
+
+**Submit reports to:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Do not** disclose vulnerabilities via public GitHub issues, pull requests, or social media. Reports submitted via channels other than Bugcrowd will not be reviewed.
+</Warning>
+
+For full details, see our [Security Policy](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## 6. Further Reading

 For more detailed information on MCP security, refer to the official documentation:
 - **[MCP Transport Security](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/en/security.mdx
+++ b/docs/en/security.mdx
@@ -0,0 +1,22 @@
+---
+title: Security Policy
+description: Learn how to report security vulnerabilities and about CrewAI's security practices.
+icon: shield
+mode: "wide"
+---
+
+## Reporting Security Vulnerabilities
+
+If you discover a security vulnerability in CrewAI, please report it responsibly through our Bugcrowd Vulnerability Disclosure Program (VDP):
+
+**Submit reports to:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Do not** disclose vulnerabilities via public GitHub issues, pull requests, or social media. Reports submitted via channels other than Bugcrowd will not be reviewed.
+</Warning>
+
+For full details, see our [Security Policy on GitHub](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## Security Resources
+
+- **[MCP Security Considerations](/mcp/security)** — Best practices for securely integrating MCP servers with your CrewAI agents, including transport security, prompt injection risks, and server implementation advice.
--- a/docs/ko/changelog.mdx
+++ b/docs/ko/changelog.mdx
@@ -4,63 +4,6 @@ description: "CrewAI의 제품 업데이트, 개선 사항 및 버그 수정"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="2026년 3월 27일">
-  ## v1.13.0rc1
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## 변경 사항
-
-  ### 문서
-  - v1.13.0a2의 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="2026년 3월 27일">
-  ## v1.13.0a2
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## 변경 사항
-
-  ### 기능
-  - 릴리스 중 자동 업데이트 배포 테스트 리포지토리
-  - 기업 릴리스의 복원력 및 사용자 경험 개선
-
-  ### 문서
-  - v1.13.0a1에 대한 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="2026년 3월 27일">
-  ## v1.13.0a1
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## 변경 사항
-
-  ### 버그 수정
-  - Node를 LTS 22로 고정하여 문서 작업 흐름의 끊어진 링크 수정
-  - 기업 릴리스에서 새로 게시된 패키지의 uv 캐시 초기화
-
-  ### 문서
-  - 포괄적인 RBAC 권한 매트릭스 및 배포 가이드 추가
-  - v1.12.2에 대한 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="2026년 3월 25일">
  ## v1.12.2

--- a/docs/ko/mcp/security.mdx
+++ b/docs/ko/mcp/security.mdx
@@ -156,7 +156,19 @@ CrewAI 에이전트가 연결할 수 있는 MCP 서버를 개발하고 있다면
 - **MCP 인증 사양 준수**: 인증 및 권한 부여를 구현할 경우, [MCP Authorization specification](https://modelcontextprotocol.io/specification/draft/basic/authorization) 및 관련 [OAuth 2.0 security best practices](https://datatracker.ietf.org/doc/html/rfc9700)를 엄격히 준수하세요.
 - **정기적인 보안 감사**: MCP 서버가 민감한 데이터를 처리하거나, 중요한 작업을 수행하거나, 대외적으로 노출된 경우 자격을 갖춘 전문가의 정기적인 보안 감사를 고려하세요.

-## 5. 추가 참고 자료
+## 5. 보안 취약점 보고
+
+CrewAI에서 보안 취약점을 발견하셨다면, Bugcrowd 취약점 공개 프로그램(VDP)을 통해 책임감 있게 보고해 주세요:
+
+**보고서 제출:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+공개 GitHub 이슈, 풀 리퀘스트 또는 소셜 미디어를 통해 취약점을 공개하지 **마세요**. Bugcrowd 이외의 채널로 제출된 보고서는 검토되지 않습니다.
+</Warning>
+
+자세한 내용은 [보안 정책](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md)을 참조하세요.
+
+## 6. 추가 참고 자료

 MCP 보안에 대한 자세한 내용은 공식 문서를 참고하세요:
 - **[MCP 전송 보안](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/ko/security.mdx
+++ b/docs/ko/security.mdx
@@ -0,0 +1,22 @@
+---
+title: 보안 정책
+description: CrewAI의 보안 취약점 보고 방법과 보안 관행에 대해 알아보세요.
+icon: shield
+mode: "wide"
+---
+
+## 보안 취약점 보고
+
+CrewAI에서 보안 취약점을 발견하셨다면, Bugcrowd 취약점 공개 프로그램(VDP)을 통해 책임감 있게 보고해 주세요:
+
+**보고서 제출:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+공개 GitHub 이슈, 풀 리퀘스트 또는 소셜 미디어를 통해 취약점을 공개하지 **마세요**. Bugcrowd 이외의 채널로 제출된 보고서는 검토되지 않습니다.
+</Warning>
+
+자세한 내용은 [GitHub 보안 정책](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md)을 참조하세요.
+
+## 보안 리소스
+
+- **[MCP 보안 고려사항](/mcp/security)** — MCP 서버를 CrewAI 에이전트와 안전하게 통합하기 위한 모범 사례로, 전송 보안, 프롬프트 인젝션 위험 및 서버 구현 권장 사항을 포함합니다.
--- a/docs/pt-BR/changelog.mdx
+++ b/docs/pt-BR/changelog.mdx
@@ -4,63 +4,6 @@ description: "Atualizações de produto, melhorias e correções do CrewAI"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="27 mar 2026">
-  ## v1.13.0rc1
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## O que Mudou
-
-  ### Documentação
-  - Atualizar changelog e versão para v1.13.0a2
-
-  ## Contribuidores
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 mar 2026">
-  ## v1.13.0a2
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## O que Mudou
-
-  ### Recursos
-  - Repositório de teste de implantação de autoatualização durante o lançamento
-  - Melhorar a resiliência e a experiência do usuário na versão empresarial
-
-  ### Documentação
-  - Atualizar changelog e versão para v1.13.0a1
-
-  ## Contribuidores
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 mar 2026">
-  ## v1.13.0a1
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## O que Mudou
-
-  ### Correções de Bugs
-  - Corrigir links quebrados no fluxo de documentação fixando o Node na LTS 22
-  - Limpar o cache uv para pacotes recém-publicados na versão empresarial
-
-  ### Documentação
-  - Adicionar uma matriz abrangente de permissões RBAC e guia de implantação
-  - Atualizar o changelog e a versão para v1.12.2
-
-  ## Contributors
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="25 mar 2026">
  ## v1.12.2

--- a/docs/pt-BR/mcp/security.mdx
+++ b/docs/pt-BR/mcp/security.mdx
@@ -156,7 +156,19 @@ Se você está desenvolvendo um servidor MCP ao qual agentes CrewAI possam se co
 - **Aderência à Especificação de Autorização MCP**: Caso implemente autenticação e autorização, siga estritamente a [especificação de autorização MCP](https://modelcontextprotocol.io/specification/draft/basic/authorization) e as [melhores práticas de segurança OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc9700) relevantes.
 - **Auditorias de Segurança Regulares**: Caso seu servidor MCP manipule dados sensíveis, realize operações críticas ou seja exposto publicamente, considere auditorias de segurança periódicas conduzidas por profissionais qualificados.

-## 5. Leituras Adicionais
+## 5. Reportando Vulnerabilidades de Segurança
+
+Se você descobrir uma vulnerabilidade de segurança no CrewAI, por favor reporte de forma responsável através do nosso Programa de Divulgação de Vulnerabilidades (VDP) no Bugcrowd:
+
+**Envie relatórios para:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Não** divulgue vulnerabilidades por meio de issues públicas no GitHub, pull requests ou redes sociais. Relatórios enviados por outros canais que não o Bugcrowd não serão analisados.
+</Warning>
+
+Para mais detalhes, consulte nossa [Política de Segurança](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## 6. Leituras Adicionais

 Para informações mais detalhadas sobre segurança MCP, consulte a documentação oficial:
 - **[Segurança de Transporte MCP](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/pt-BR/security.mdx
+++ b/docs/pt-BR/security.mdx
@@ -0,0 +1,22 @@
+---
+title: Política de Segurança
+description: Saiba como reportar vulnerabilidades de segurança e sobre as práticas de segurança do CrewAI.
+icon: shield
+mode: "wide"
+---
+
+## Reportando Vulnerabilidades de Segurança
+
+Se você descobrir uma vulnerabilidade de segurança no CrewAI, por favor reporte de forma responsável através do nosso Programa de Divulgação de Vulnerabilidades (VDP) no Bugcrowd:
+
+**Envie relatórios para:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Não** divulgue vulnerabilidades por meio de issues públicas no GitHub, pull requests ou redes sociais. Relatórios enviados por outros canais que não o Bugcrowd não serão analisados.
+</Warning>
+
+Para mais detalhes, consulte nossa [Política de Segurança no GitHub](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## Recursos de Segurança
+
+- **[Considerações de Segurança MCP](/mcp/security)** — Melhores práticas para integrar servidores MCP com segurança aos seus agentes CrewAI, incluindo segurança de transporte, riscos de injeção de prompt e conselhos de implementação de servidor.
--- a/lib/crewai-files/src/crewai_files/init.py
+++ b/lib/crewai-files/src/crewai_files/init.py
@@ -152,4 +152,4 @@ __all__ = [
    "wrap_file_source",
 ]

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
--- a/lib/crewai-tools/pyproject.toml
+++ b/lib/crewai-tools/pyproject.toml
@@ -11,7 +11,7 @@ dependencies = [
    "pytube~=15.0.0",
    "requests~=2.32.5",
    "docker~=7.1.0",
-    "crewai==1.13.0rc1",
+    "crewai==1.12.2",
    "tiktoken~=0.8.0",
    "beautifulsoup4~=4.13.4",
    "python-docx~=1.2.0",
--- a/lib/crewai-tools/src/crewai_tools/init.py
+++ b/lib/crewai-tools/src/crewai_tools/init.py
@@ -309,4 +309,4 @@ __all__ = [
    "ZapierActionTools",
 ]

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
--- a/lib/crewai/pyproject.toml
+++ b/lib/crewai/pyproject.toml
@@ -54,7 +54,7 @@ Repository = "https://github.com/crewAIInc/crewAI"

 [project.optional-dependencies]
 tools = [
-    "crewai-tools==1.13.0rc1",
+    "crewai-tools==1.12.2",
 ]
 embeddings = [
    "tiktoken~=0.8.0"
--- a/lib/crewai/src/crewai/init.py
+++ b/lib/crewai/src/crewai/init.py
@@ -42,7 +42,7 @@ def _suppress_pydantic_deprecation_warnings() -> None:

 _suppress_pydantic_deprecation_warnings()

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
 _telemetry_submitted = False


--- a/lib/crewai/src/crewai/cli/templates/crew/pyproject.toml
+++ b/lib/crewai/src/crewai/cli/templates/crew/pyproject.toml
@@ -5,7 +5,7 @@ description = "{{name}} using crewAI"
 authors = [{ name = "Your Name", email = "you@example.com" }]
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]

 [project.scripts]
--- a/lib/crewai/src/crewai/cli/templates/flow/pyproject.toml
+++ b/lib/crewai/src/crewai/cli/templates/flow/pyproject.toml
@@ -5,7 +5,7 @@ description = "{{name}} using crewAI"
 authors = [{ name = "Your Name", email = "you@example.com" }]
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]

 [project.scripts]
--- a/lib/crewai/src/crewai/cli/templates/tool/pyproject.toml
+++ b/lib/crewai/src/crewai/cli/templates/tool/pyproject.toml
@@ -5,7 +5,7 @@ description = "Power up your crews with {{folder_name}}"
 readme = "README.md"
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]

 [tool.crewai]
--- a/lib/devtools/src/crewai_devtools/init.py
+++ b/lib/devtools/src/crewai_devtools/init.py
@@ -1,3 +1,3 @@
 """CrewAI development tools."""

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
--- a/lib/devtools/src/crewai_devtools/cli.py
+++ b/lib/devtools/src/crewai_devtools/cli.py
@@ -156,33 +156,6 @@ def update_version_in_file(file_path: Path, new_version: str) -> bool:
    return False


-def update_pyproject_version(file_path: Path, new_version: str) -> bool:
-    """Update the [project] version field in a pyproject.toml file.
-
-    Args:
-        file_path: Path to pyproject.toml file.
-        new_version: New version string.
-
-    Returns:
-        True if version was updated, False otherwise.
-    """
-    if not file_path.exists():
-        return False
-
-    content = file_path.read_text()
-    new_content = re.sub(
-        r'^(version\s*=\s*")[^"]+(")',
-        rf"\g<1>{new_version}\2",
-        content,
-        count=1,
-        flags=re.MULTILINE,
-    )
-    if new_content != content:
-        file_path.write_text(new_content)
-        return True
-    return False
-
-
 _DEFAULT_WORKSPACE_PACKAGES: Final[list[str]] = [
    "crewai",
    "crewai-tools",
@@ -1072,84 +1045,10 @@ def _update_enterprise_crewai_dep(pyproject_path: Path, version: str) -> bool:
    return False


-_DEPLOYMENT_TEST_REPO: Final[str] = "crewAIInc/crew_deployment_test"
-
 _PYPI_POLL_INTERVAL: Final[int] = 15
 _PYPI_POLL_TIMEOUT: Final[int] = 600


-def _update_deployment_test_repo(version: str, is_prerelease: bool) -> None:
-    """Update the deployment test repo to pin the new crewai version.
-
-    Clones the repo, updates the crewai[tools] pin in pyproject.toml,
-    regenerates the lockfile, commits, and pushes directly to main.
-
-    Args:
-        version: New crewai version string.
-        is_prerelease: Whether this is a pre-release version.
-    """
-    console.print(
-        f"\n[bold cyan]Updating {_DEPLOYMENT_TEST_REPO} to {version}[/bold cyan]"
-    )
-
-    with tempfile.TemporaryDirectory() as tmp:
-        repo_dir = Path(tmp) / "crew_deployment_test"
-        run_command(["gh", "repo", "clone", _DEPLOYMENT_TEST_REPO, str(repo_dir)])
-        console.print(f"[green]✓[/green] Cloned {_DEPLOYMENT_TEST_REPO}")
-
-        pyproject = repo_dir / "pyproject.toml"
-        content = pyproject.read_text()
-        new_content = re.sub(
-            r'"crewai\[tools\]==[^"]+"',
-            f'"crewai[tools]=={version}"',
-            content,
-        )
-        if new_content == content:
-            console.print(
-                "[yellow]Warning:[/yellow] No crewai[tools] pin found to update"
-            )
-            return
-        pyproject.write_text(new_content)
-        console.print(f"[green]✓[/green] Updated crewai[tools] pin to {version}")
-
-        lock_cmd = [
-            "uv",
-            "lock",
-            "--refresh-package",
-            "crewai",
-            "--refresh-package",
-            "crewai-tools",
-        ]
-        if is_prerelease:
-            lock_cmd.append("--prerelease=allow")
-
-        max_retries = 10
-        for attempt in range(1, max_retries + 1):
-            try:
-                run_command(lock_cmd, cwd=repo_dir)
-                break
-            except subprocess.CalledProcessError:
-                if attempt == max_retries:
-                    console.print(
-                        f"[red]Error:[/red] uv lock failed after {max_retries} attempts"
-                    )
-                    raise
-                console.print(
-                    f"[yellow]uv lock failed (attempt {attempt}/{max_retries}),"
-                    f" retrying in {_PYPI_POLL_INTERVAL}s...[/yellow]"
-                )
-                time.sleep(_PYPI_POLL_INTERVAL)
-        console.print("[green]✓[/green] Lockfile updated")
-
-        run_command(["git", "add", "pyproject.toml", "uv.lock"], cwd=repo_dir)
-        run_command(
-            ["git", "commit", "-m", f"chore: bump crewai to {version}"],
-            cwd=repo_dir,
-        )
-        run_command(["git", "push"], cwd=repo_dir)
-        console.print(f"[green]✓[/green] Pushed to {_DEPLOYMENT_TEST_REPO}")
-
-
 def _wait_for_pypi(package: str, version: str) -> None:
    """Poll PyPI until a specific package version is available.

@@ -1242,11 +1141,6 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non

            pyproject = pkg_dir / "pyproject.toml"
            if pyproject.exists():
-                if update_pyproject_version(pyproject, version):
-                    console.print(
-                        f"[green]✓[/green] Updated version in: "
-                        f"{pyproject.relative_to(repo_dir)}"
-                    )
                if update_pyproject_dependencies(
                    pyproject, version, extra_packages=list(_ENTERPRISE_EXTRA_PACKAGES)
                ):
@@ -1265,35 +1159,7 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
        _wait_for_pypi("crewai", version)

        console.print("\nSyncing workspace...")
-        sync_cmd = [
-            "uv",
-            "sync",
-            "--refresh-package",
-            "crewai",
-            "--refresh-package",
-            "crewai-tools",
-            "--refresh-package",
-            "crewai-files",
-        ]
-        if is_prerelease:
-            sync_cmd.append("--prerelease=allow")
-
-        max_retries = 10
-        for attempt in range(1, max_retries + 1):
-            try:
-                run_command(sync_cmd, cwd=repo_dir)
-                break
-            except subprocess.CalledProcessError:
-                if attempt == max_retries:
-                    console.print(
-                        f"[red]Error:[/red] uv sync failed after {max_retries} attempts"
-                    )
-                    raise
-                console.print(
-                    f"[yellow]uv sync failed (attempt {attempt}/{max_retries}),"
-                    f" retrying in {_PYPI_POLL_INTERVAL}s...[/yellow]"
-                )
-                time.sleep(_PYPI_POLL_INTERVAL)
+        run_command(["uv", "sync"], cwd=repo_dir)
        console.print("[green]✓[/green] Workspace synced")

        # --- branch, commit, push, PR ---
@@ -1309,7 +1175,7 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
        run_command(["git", "push", "-u", "origin", branch_name], cwd=repo_dir)
        console.print("[green]✓[/green] Branch pushed")

-        pr_url = run_command(
+        run_command(
            [
                "gh",
                "pr",
@@ -1326,7 +1192,6 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
            cwd=repo_dir,
        )
        console.print("[green]✓[/green] Enterprise bump PR created")
-        console.print(f"[cyan]PR URL:[/cyan] {pr_url}")

        _poll_pr_until_merged(branch_name, "enterprise bump PR", repo=enterprise_repo)

@@ -1693,18 +1558,7 @@ def tag(dry_run: bool, no_edit: bool) -> None:
    is_flag=True,
    help="Skip the enterprise release phase",
 )
-@click.option(
-    "--skip-to-enterprise",
-    is_flag=True,
-    help="Skip phases 1 & 2, run only the enterprise release phase",
-)
-def release(
-    version: str,
-    dry_run: bool,
-    no_edit: bool,
-    skip_enterprise: bool,
-    skip_to_enterprise: bool,
-) -> None:
+def release(version: str, dry_run: bool, no_edit: bool, skip_enterprise: bool) -> None:
    """Full release: bump versions, tag, and publish a GitHub release.

    Combines bump and tag into a single workflow. Creates a version bump PR,
@@ -1717,19 +1571,11 @@ def release(
        dry_run: Show what would be done without making changes.
        no_edit: Skip editing release notes.
        skip_enterprise: Skip the enterprise release phase.
-        skip_to_enterprise: Skip phases 1 & 2, run only the enterprise release phase.
    """
    try:
        check_gh_installed()

-        if skip_enterprise and skip_to_enterprise:
-            console.print(
-                "[red]Error:[/red] Cannot use both --skip-enterprise "
-                "and --skip-to-enterprise"
-            )
-            sys.exit(1)
-
-        if not skip_enterprise or skip_to_enterprise:
+        if not skip_enterprise:
            missing: list[str] = []
            if not _ENTERPRISE_REPO:
                missing.append("ENTERPRISE_REPO")
@@ -1748,15 +1594,6 @@ def release(
        cwd = Path.cwd()
        lib_dir = cwd / "lib"

-        is_prerelease = _is_prerelease(version)
-
-        if skip_to_enterprise:
-            _release_enterprise(version, is_prerelease, dry_run)
-            console.print(
-                f"\n[green]✓[/green] Enterprise release [bold]{version}[/bold] complete!"
-            )
-            return
-
        if not dry_run:
            console.print("Checking git status...")
            check_git_clean()
@@ -1850,8 +1687,7 @@ def release(

        if not dry_run:
            _create_tag_and_release(tag_name, release_notes, is_prerelease)
-            _trigger_pypi_publish(tag_name, wait=True)
-            _update_deployment_test_repo(version, is_prerelease)
+            _trigger_pypi_publish(tag_name, wait=not skip_enterprise)

        if not skip_enterprise:
            _release_enterprise(version, is_prerelease, dry_run)