docs: add SECURITY.md, CONTRIBUTING.md, and disable blank issues

Sephyi · Sephyi · commit 894d0cbbedca · 2026-03-22T05:45:18.000+01:00
- SECURITY.md with vulnerability reporting via GitHub advisories,
  scope covering LLM streaming, secret scanning, config security
- CONTRIBUTING.md with CLA reference, dev setup, CI gate, REUSE
- config.yml disables blank GitHub issues (forces templates)
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2026 Sephyi <me@sephy.io>
+#
+# SPDX-License-Identifier: PolyForm-Noncommercial-1.0.0
+
+blank_issues_enabled: false
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,78 @@
+<!--
+SPDX-FileCopyrightText: 2026 Sephyi <me@sephy.io>
+
+SPDX-License-Identifier: PolyForm-Noncommercial-1.0.0
+-->
+
+# Contributing to CommitBee
+
+Thank you for your interest in contributing! This guide covers the process
+for submitting changes.
+
+## Contributor License Agreement
+
+All contributors must sign the [Contributor License Agreement](CLA.md)
+before their pull request can be merged.
+
+**How it works:**
+
+1. Open a pull request.
+2. The CLA bot will comment asking you to sign.
+3. Reply with the signature phrase indicated by the bot.
+4. The bot records your signature — you only need to sign once.
+
+## Development Setup
+
+```bash
+# Clone and build
+git clone https://github.com/sephyi/commitbee.git
+cd commitbee
+cargo build
+
+# Run tests
+cargo test --all-targets
+
+# Run with eval harness
+cargo test --all-targets --features eval
+
+# Lint
+cargo fmt --check && cargo clippy --all-targets -- -D warnings
+```
+
+**Requirements:** Rust 1.94+ (edition 2024), Ollama for manual testing.
+
+## Before Submitting
+
+1. Run the full CI gate: `cargo fmt --check && cargo clippy --all-targets -- -D warnings && cargo test --all-targets`
+2. Add tests for new functionality
+3. Follow existing code patterns and conventions (see [CLAUDE.md](CLAUDE.md) for details)
+4. Keep commits focused — one logical change per commit
+5. Use [Conventional Commits](https://www.conventionalcommits.org/) for commit messages
+
+## Code Style
+
+- `cargo fmt` for formatting (enforced by CI)
+- `cargo clippy -- -D warnings` for linting (zero warnings required)
+- See the [TypeScript style guide](https://ts.dev/style) principles adapted for Rust in CLAUDE.md
+
+## REUSE Compliance
+
+All files must have SPDX headers. Use:
+
+```bash
+reuse annotate --copyright "Sephyi <me@sephy.io>" --license PolyForm-Noncommercial-1.0.0 --year 2026 <file>
+```
+
+## Reporting Bugs
+
+Use the [bug report template](../../issues/new?template=bug_report.yml).
+Include `commitbee --version`, `commitbee doctor` output, and
+`commitbee --dry-run --show-prompt` output when relevant.
+
+## Requesting Features
+
+Use the [feature request template](../../issues/new?template=feature_request.yml).
+
+## Security Issues
+
+See [SECURITY.md](SECURITY.md) — do not open public issues for vulnerabilities.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,46 @@
+<!--
+SPDX-FileCopyrightText: 2026 Sephyi <me@sephy.io>
+
+SPDX-License-Identifier: PolyForm-Noncommercial-1.0.0
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Do not open a public issue.**
+
+**Preferred:** Use GitHub's private vulnerability reporting — click
+**"Report a vulnerability"** on the
+[Security tab](../../security/advisories/new) of this repository. This
+creates a private advisory draft with a CVE workflow.
+
+**Alternative:** Email [me@sephy.io](mailto:me@sephy.io) with details.
+
+Include as much detail as possible:
+
+- Description of the vulnerability
+- Steps to reproduce
+- Affected component (LLM providers, secret scanning, git operations, config)
+- Potential impact
+
+You will receive an acknowledgment within 7 days. Fixes for confirmed
+vulnerabilities will be released as patch versions with a security advisory.
+
+## Scope
+
+Security issues in the following areas are in scope:
+
+- **LLM streaming** — buffer exhaustion, response size limits, malformed server responses
+- **Secret scanning** — pattern bypass, false negatives on known key formats
+- **Config security** — project-level config overrides that could redirect API traffic or exfiltrate data
+- **Git operations** — command injection via file paths, argument injection
+- **Error messages** — credential or URL leakage in error output
+- **Prompt injection** — crafted diff content that manipulates LLM behavior to produce harmful output
+- **Dependency vulnerabilities** — reqwest, tokio, tree-sitter, serde
+
+## Out of Scope
+
+- LLM output quality (wrong commit type, generic subjects) — use the issue tracker
+- Feature requests — use the issue tracker
+- Vulnerabilities in Ollama, OpenAI, or Anthropic services themselves
