diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..43c994c --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1 @@ +@AGENTS.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..34d9174 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| --- | --- | +| Latest release | Yes | +| Older releases | No | + +Security fixes are provided on a best-effort basis for the latest release only. + +## Reporting a Vulnerability + +If you believe you have found a security vulnerability in ExStruct, please report it by email to `harumiweb.security@gmail.com`. + +For vulnerabilities or other sensitive security problems that are not already public, please do not open a public GitHub issue first. Email is the preferred initial reporting channel. + +If the issue is already public or is not sensitive, GitHub Issues can still be used for general discussion after the initial report or for non-security bugs. + +Please include as much of the following as you can: + +- affected ExStruct version +- platform and environment details +- reproduction steps or a proof of concept +- expected impact +- any suggested mitigation or fix ideas + +## What to Expect + +ExStruct is maintained as a personal project, so security triage and fixes are handled on a best-effort basis. + +There is no official SLA or guaranteed response time, but I will try to acknowledge reports and assess severity when possible. + +Please avoid public disclosure until the issue has been reviewed and a mitigation or fix path is clear. + +## Non-Security Issues + +For general bugs, usage questions, and non-sensitive discussion, please use GitHub Issues. diff --git a/tasks/feature_spec.md b/tasks/feature_spec.md index 2252969..f71c035 100644 --- a/tasks/feature_spec.md +++ b/tasks/feature_spec.md @@ -168,3 +168,43 @@ - `recommended` - rationale: the change turns AI-agent operational workflow into a durable repository rule and resolves recurring tradeoffs around single-skill packaging, repo source of truth, and the CLI-versus-MCP boundary. + +## 2026-04-16 SECURITY.md policy + +### Goal + +- Add a root-level `SECURITY.md` that GitHub can recognize as the repository security policy. +- Direct security reports to `harumiweb.security@gmail.com` and keep sensitive disclosures out of public issue threads when they are not already public. +- Keep the change documentation-only with no code, package, CLI, MCP, or MkDocs navigation impact. + +### Public contract summary + +- The repository gains one new public policy document: `SECURITY.md`. +- Supported versions are defined as the latest release only. +- Security vulnerabilities should be reported by email first. +- Public GitHub issues remain appropriate for non-security problems and already-public, non-sensitive discussion. + +### Permanent destinations + +- `SECURITY.md` + - Canonical public security policy document for responsible disclosure and supported-version guidance. +- `tasks/feature_spec.md` and `tasks/todo.md` + - Retain only this compact implementation record and verification evidence for the session. + +### Constraints + +- `SECURITY.md` is English-only for this change. +- `README.md`, `README.ja.md`, `docs/`, and `mkdocs.yml` remain unchanged. +- The supported-version policy must avoid hard-coding a specific release number and instead describe support as "latest release". + +### Verification + +- `rg -n "Security Policy|harumiweb.security@gmail.com|Latest release|GitHub Issues" SECURITY.md` +- `git diff --check -- SECURITY.md tasks/feature_spec.md tasks/todo.md` +- `uv run task precommit-run` +- `uv run pytest -q` + +### ADR verdict + +- `not-needed` +- rationale: this adds a single public repository policy document without changing architecture, public API design, or long-lived internal tradeoff policy. diff --git a/tasks/todo.md b/tasks/todo.md index 3732bb1..6c1b6c5 100644 --- a/tasks/todo.md +++ b/tasks/todo.md @@ -83,3 +83,25 @@ - `rg -n "^## |Tests:|Code:|Related specs:" dev-docs/adr/ADR-0009-single-cli-skill-for-agent-workflows.md` - `uv run task precommit-run` - `git diff --check` + +## 2026-04-16 SECURITY.md policy + +### Planning + +- [x] Confirm whether `SECURITY.md` already exists and review the current public-document tone in `README.md` and `CONTRIBUTING.md`. +- [x] Define the minimal public policy: latest-release-only support and email-first disclosure to `harumiweb.security@gmail.com`. +- [x] Add a root-level `SECURITY.md` with supported versions, reporting instructions, and expectations for response/disclosure. +- [x] Record the durable destination and ADR verdict in `tasks/feature_spec.md`. +- [x] Run the planned verification commands and record the results. + +### Review + +- Added the root-level `SECURITY.md` as the durable public security policy document with latest-release-only support guidance and email-first reporting to `harumiweb.security@gmail.com`. +- Kept the change documentation-only; `README.md`, `README.ja.md`, `docs/`, `mkdocs.yml`, code, and public runtime interfaces were unchanged. +- `tasks/feature_spec.md` now records the compact spec, permanent destination, verification commands, and `not-needed` ADR verdict for this session. +- Verification: + - `rg -n "Security Policy|harumiweb.security@gmail.com|Latest release|GitHub Issues" SECURITY.md` + - `git diff --check -- SECURITY.md tasks/feature_spec.md tasks/todo.md` + - `uv run task precommit-run` + - `uv run pytest -q` + - Result summary: `pre-commit` passed (`ruff`, `ruff-format`, `mypy`), and `pytest` completed with `913 passed, 4 skipped`.