docs: add SECURITY.md and update CONTRIBUTING.md with quality tooling

Author: isanchez31

CONTRIBUTING.md

@@ -13,9 +13,13 @@ bun install
 ## Commands
 
 ```bash
-bun run build    # Build the project
-bun test         # Run tests
-bun run dev      # Watch mode
+bun run build        # Build the project
+bun test             # Run tests
+bun test --coverage  # Run tests with coverage
+bun run check        # Lint + format check (Biome)
+bun run check:fix    # Lint + format auto-fix
+bun run typecheck    # Type check (tsc --noEmit)
+bun run dev          # Watch mode
 ```
 
 ## Making Changes
@@ -27,9 +31,11 @@ bun run dev      # Watch mode
 
 2. Make your changes and add tests if applicable.
 
-3. Ensure all tests pass:
+3. Ensure everything passes before committing:
    ```bash
-   bun test
+   bun run check      # Lint + format
+   bun run typecheck   # Type check
+   bun test            # Tests
    ```
 
 4. Commit using [Conventional Commits](https://www.conventionalcommits.org/):
@@ -41,14 +47,18 @@ bun run dev      # Watch mode
    chore: update dependencies
    ```
 
-5. Open a Pull Request against `main`.
+5. Open a Pull Request against `main`. PR titles must follow the same conventional commit format.
 
-## Code Style
+## Code Quality
 
-- TypeScript with strict mode
-- Use `bun` as the package manager and test runner
-- Keep dependencies minimal
-- Prefer explicit error handling over silent failures
+This project uses the following tools to maintain code quality:
+
+- **[Biome](https://biomejs.dev/)** for linting and formatting (replaces ESLint + Prettier)
+- **TypeScript strict mode** for type safety
+- **tsc --noEmit** for type checking beyond what Biome covers
+- **bun test** with built-in coverage for testing
+
+All checks run automatically in CI. PRs must pass the `quality` and `test` jobs before merging.
 
 ## Project Structure
 
@@ -75,6 +85,10 @@ Use the [bug report template](https://github.com/isanchez31/opencode-sandbox-plu
 
 Use the [feature request template](https://github.com/isanchez31/opencode-sandbox-plugin/issues/new?template=feature_request.md).
 
+## Security
+
+See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
+
 ## License
 
 By contributing, you agree that your contributions will be licensed under the MIT License.

SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| 0.1.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in opencode-sandbox, please report it responsibly.
+
+**Do not open a public issue.**
+
+Instead, email **ivan31.sanchez@gmail.com** with:
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+You should receive a response within 48 hours. Once confirmed, a fix will be prioritized and released as a patch version.
+
+## Scope
+
+This project sandboxes agent-executed commands using OS-level isolation. Security issues of particular interest include:
+
+- Sandbox escape (writing outside allowed paths)
+- Network allowlist bypass
+- Credential exposure through sandbox misconfiguration
+- Path traversal in configuration handling