Files
Tirth Kanani aef940fcde chore(repo): add issue/PR templates, SECURITY.md, CoC, package metadata; widen CI triggers
Closes a cluster of community-profile gaps (#248, #249, #251, #252) in one
PR rather than four micro-PRs that all touch the same surface area.

### Templates (#251, #252)

- .github/ISSUE_TEMPLATE/bug_report.yml — required fields for repro
  (plugin version, platform, OS, project language, file count); the four
  pieces of context that are missing from ~every current bug report.
- .github/ISSUE_TEMPLATE/feature_request.yml — leads with the *problem*
  rather than the proposed solution, which keeps maintainer review focused
  on whether to solve, not just how.
- .github/ISSUE_TEMPLATE/question.yml — separate from bug to keep the
  bug queue triagable.
- .github/ISSUE_TEMPLATE/config.yml — disables blank issues and routes
  general discussion to README + Discussions.
- .github/PULL_REQUEST_TEMPLATE.md — includes the version-bump checklist
  that CLAUDE.md says must stay in sync across 5 manifests; otherwise
  every contributor learns this rule by getting their PR bounced.

### Community files

- CODE_OF_CONDUCT.md — short, project-specific document that names the
  expectations and reporting path. Not a verbatim Contributor Covenant
  to keep it readable.
- SECURITY.md — describes the project's local-only threat model
  explicitly so reporters know what's in / out of scope before they
  spend time on a writeup. Points at GitHub private vulnerability
  reporting as the primary channel.

### CI (#249)

- ci.yml now also runs on pushes to main, not only PRs. Without this,
  a direct push to main (which happens when maintainers merge a PR
  branch locally) doesn't trigger CI, so a regression can land green-
  looking and stay broken for days.
- Added a concurrency group that cancels stale runs for the same ref.
  Saves runner minutes and keeps the per-ref status meaningful.
- Used `github.ref` (a controlled value), not user-controlled input,
  so no script-injection surface.

### package.json (#248)

- Added description, license, repository, bugs, homepage, keywords —
  the standard set for npm package discoverability and so GitHub's
  community-profile check shows the project at 100%.
2026-05-31 21:29:13 +01:00

2.0 KiB

Reporting security issues

Thanks for taking the time to disclose responsibly.

How to report

Please use GitHub's private vulnerability reporting on this repository. That keeps the report visible to the maintainer without exposing the details publicly.

If private reporting is unavailable for any reason, open a regular issue titled security: brief description without any exploit details, and the maintainer will reply with a private channel.

What to include

  • A description of the issue and its potential impact.
  • Steps to reproduce — minimal is fine, a full PoC is not required.
  • Affected versions if you've narrowed them down.
  • Whether you'd like to be credited in the eventual fix.

What to expect

  • Initial acknowledgement within a few days.
  • A fix or mitigation plan within ~30 days for confirmed issues; longer for cases that require coordinated disclosure with upstream dependencies.
  • Public credit once a fix has shipped, if you'd like.

Scope

This project is a local-only static-analysis tool. It runs on a developer's machine, reads the analyzed project, and writes the resulting graph to .understand-anything/. It does not phone home and the dashboard's file-content endpoint is gated behind an access token and a graph-derived path allowlist.

Issues we care about:

  • Code execution triggered by analyzing a hostile project (e.g. a path in a hostile file leaking outside the analyzed directory, or untrusted JSON in the graph being executed by the dashboard).
  • The dashboard's file-content endpoint serving files outside the allowlist.
  • The /understand skill running shell commands derived from untrusted paths or contents.

Issues that are out of scope:

  • Bugs that require a malicious local user with write access to the analyzed project (they could just edit the source directly).
  • Anything that requires the user to copy a malicious URL and paste it back into the dashboard.