Coding-Dev-Tools · Coding-Dev-Tools · Jun 29, 2026 · Jun 29, 2026
@@ -42,3 +42,57 @@ jobs:
           apiauth --version
           apiauth --help
           apiauth generate --help
+
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        with:
+          python-version: "3.12"
+
+      - name: Install pip-audit
+        run: pip install pip-audit
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Security audit (pip-audit)
+        run: pip-audit -r requirements.txt || pip-audit --desc
+
+      - name: Check for secrets
+        uses: trufflesecurity/trufflehog@34ed34b8e678b826e3e4a3d28426ac8bdfc4e1f2
+        with:
+          path: ./
+          base: ""
+          head: ${{ github.sha }}
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [test, security]
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+
+      - name: Build package
+        run: python -m build
+
+      - name: Check package
+        run: twine check dist/*
@@ -5,18 +5,19 @@ Thanks for your interest in contributing!
 ## Development Setup
 
 1. Fork and clone the repo
-2. Create a virtual environment: python -m venv .venv && source .venv/bin/activate
-3. Install dev dependencies: pip install -e ".[dev]"
-4. Run tests: pytest tests/ -v
-5. Lint: uff check src/
+2. Create a virtual environment: `python -m venv .venv && source .venv/bin/activate`
+3. Install dev dependencies: `pip install -e ".[dev]"`
+4. Run tests: `pytest tests/ -v`
+5. Lint: `ruff check src/`
 
 ## Pull Requests
 
 - Fork the repo and create a feature branch
 - Add tests for any new functionality
 - Ensure all existing tests pass
-- Run uff check src/ --fix before committing
+- Run `ruff check src/ --fix` before committing
 - Keep PRs focused on a single change
+- Ensure CI passes (ruff lint, pytest, CLI checks)
 
 ## Reporting Issues
 
@@ -29,7 +30,20 @@ Thanks for your interest in contributing!
 - Python 3.10+
 - Type hints where practical
 - Follow ruff defaults (Black-compatible formatting)
+- Use conventional commits for commit messages (feat:, fix:, docs:, chore:, refactor:, test:)
+
+## Testing
+
+- Write unit tests for new functions in `tests/test_cli.py`
+- Run full test suite: `pytest tests/ -v --tb=short`
+- Target: 100% coverage for new code
+
+## Security
+
+- Never commit secrets or API keys
+- Use `pip audit` before adding dependencies
+- Follow the security practices in SECURITY.md
 
 ## License
 
-By contributing, you agree your work will be licensed under the same license as this project.
+By contributing, you agree your work will be licensed under the same license as this project (MIT).
@@ -2,6 +2,11 @@
 
 ## Supported Versions
 
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.2.x   | :white_check_mark: |
+| < 0.2   | :x:                |
+
 We release patches for security vulnerabilities in the latest version.
 
 ## Reporting a Vulnerability
@@ -21,3 +26,30 @@ We aim to respond within 48 hours and will keep you updated on the fix.
 - Keep your dependencies up to date
 - Use `pip audit` to check for known vulnerabilities
 - Report any security concerns promptly
+
+## Security Architecture
+
+APIAuth uses several security controls:
+
+- **Encryption**: AES-256-GCM for keystore encryption
+- **Key Derivation**: PBKDF2 with 100,000 iterations for master key derivation
+- **Storage**: Only SHA-256 hashes of API keys and JWT signing secrets are stored
+- **Key Rotation**: Previous key values are hashed out on rotation
+- **Verification**: Constant-time hash comparison for API key verification
+- **Offline Operation**: No telemetry, no network calls, fully air-gapped capable
+
+## Threat Model
+
+| Threat | Mitigation |
+|--------|------------|
+| Keystore theft | AES-256-GCM encryption with PBKDF2-derived key |
+| Key exposure on rotation | Previous values hashed with SHA-256 before rotation |
+| Timing attacks | Constant-time comparison for hash verification |
+| Replay attacks | JTI-based JWT tracking with revocation support |
+| Supply chain | Dependabot weekly updates, pinned GitHub Actions SHAs |
+
+## Compliance
+
+- No PII stored in keystore
+- GDPR-compliant by design (no personal data collection)
+- SOC 2 compatible audit trail via `apiauth audit` command
@@ -0,0 +1,5 @@
+click>=8.1.0
+cryptography>=46.0.6
+pyjwt>=2.12.0
+rich>=13.0.0
+python-dateutil>=2.8.0