Files
Tirth Kanani aef940fcde chore(repo): add issue/PR templates, SECURITY.md, CoC, package metadata; widen CI triggers
Closes a cluster of community-profile gaps (#248, #249, #251, #252) in one
PR rather than four micro-PRs that all touch the same surface area.

### Templates (#251, #252)

- .github/ISSUE_TEMPLATE/bug_report.yml — required fields for repro
  (plugin version, platform, OS, project language, file count); the four
  pieces of context that are missing from ~every current bug report.
- .github/ISSUE_TEMPLATE/feature_request.yml — leads with the *problem*
  rather than the proposed solution, which keeps maintainer review focused
  on whether to solve, not just how.
- .github/ISSUE_TEMPLATE/question.yml — separate from bug to keep the
  bug queue triagable.
- .github/ISSUE_TEMPLATE/config.yml — disables blank issues and routes
  general discussion to README + Discussions.
- .github/PULL_REQUEST_TEMPLATE.md — includes the version-bump checklist
  that CLAUDE.md says must stay in sync across 5 manifests; otherwise
  every contributor learns this rule by getting their PR bounced.

### Community files

- CODE_OF_CONDUCT.md — short, project-specific document that names the
  expectations and reporting path. Not a verbatim Contributor Covenant
  to keep it readable.
- SECURITY.md — describes the project's local-only threat model
  explicitly so reporters know what's in / out of scope before they
  spend time on a writeup. Points at GitHub private vulnerability
  reporting as the primary channel.

### CI (#249)

- ci.yml now also runs on pushes to main, not only PRs. Without this,
  a direct push to main (which happens when maintainers merge a PR
  branch locally) doesn't trigger CI, so a regression can land green-
  looking and stay broken for days.
- Added a concurrency group that cancels stale runs for the same ref.
  Saves runner minutes and keeps the per-ref status meaningful.
- Used `github.ref` (a controlled value), not user-controlled input,
  so no script-injection surface.

### package.json (#248)

- Added description, license, repository, bugs, homepage, keywords —
  the standard set for npm package discoverability and so GitHub's
  community-profile check shows the project at 100%.
2026-05-31 21:29:13 +01:00

52 lines
2.0 KiB
Markdown

# Reporting security issues
Thanks for taking the time to disclose responsibly.
## How to report
Please use GitHub's [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
on this repository. That keeps the report visible to the maintainer without
exposing the details publicly.
If private reporting is unavailable for any reason, open a regular issue
titled `security: brief description` **without** any exploit details, and
the maintainer will reply with a private channel.
## What to include
- A description of the issue and its potential impact.
- Steps to reproduce — minimal is fine, a full PoC is not required.
- Affected versions if you've narrowed them down.
- Whether you'd like to be credited in the eventual fix.
## What to expect
- Initial acknowledgement within a few days.
- A fix or mitigation plan within ~30 days for confirmed issues; longer for
cases that require coordinated disclosure with upstream dependencies.
- Public credit once a fix has shipped, if you'd like.
## Scope
This project is a **local-only** static-analysis tool. It runs on a
developer's machine, reads the analyzed project, and writes the resulting
graph to `.understand-anything/`. It does not phone home and the dashboard's
file-content endpoint is gated behind an access token and a graph-derived
path allowlist.
Issues we care about:
- Code execution triggered by analyzing a hostile project (e.g. a path in a
hostile file leaking outside the analyzed directory, or untrusted JSON in
the graph being executed by the dashboard).
- The dashboard's file-content endpoint serving files outside the allowlist.
- The `/understand` skill running shell commands derived from untrusted
paths or contents.
Issues that are **out of scope**:
- Bugs that require a malicious local user with write access to the
analyzed project (they could just edit the source directly).
- Anything that requires the user to copy a malicious URL and paste it back
into the dashboard.