chore: prepare v0.7.5 release

- Add SECURITY.md with responsible disclosure policy
- Add crypto domain event tests (achieve 100% crypto domain coverage)
- Bump version to 0.7.5
- Update README with release notes

Coverage Summary:
- Overall: 66.9% across 26 packages
- Core domain logic: 85.5% average
- Crypto domain: 100.0% (90% requirement met)
- Steganography: 88.3%+ across all techniques
- Infrastructure: 77.5% average (meets 60% requirement)

Author: greysquirr3l

README.md

@@ -8,7 +8,7 @@
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
 [![Status](https://img.shields.io/badge/Status-Phase%205%20Complete-brightgreen.svg)](docs/implementation_plan_todo.md)
 [![Build](https://img.shields.io/badge/Build-Passing-success.svg)](https://github.com/greysquirr3l/shadowforge)
-[![Coverage](https://img.shields.io/badge/Coverage-85%25+-brightgreen.svg)](https://github.com/greysquirr3l/shadowforge)
+[![Coverage](https://img.shields.io/badge/Coverage-66%25+-brightgreen.svg)](https://github.com/greysquirr3l/shadowforge)
 
 **Shadowforge** is a production-grade quantum-resistant steganography tool that combines
 NIST-approved post-quantum cryptography, Reed-Solomon error correction, and multiple

SECURITY.md

@@ -0,0 +1,148 @@
+# Security Policy
+
+## Supported Versions
+
+We take security seriously. The following versions of Shadowforge are currently supported with security updates:
+
+| Version | Supported          | Status |
+| ------- | ------------------ | ------ |
+| 0.7.x   | :white_check_mark: | Current stable release |
+| < 0.7.0 | :x:                | No longer supported |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you discover a security vulnerability in Shadowforge, please report it responsibly:
+
+### Primary Contact
+
+- **Email**: <s0ma@protonmail.com> (if available) or open a [private security advisory](https://github.com/greysquirr3l/shadowforge/security/advisories/new)
+- **Response Time**: We aim to respond within 48 hours
+
+### What to Include
+
+Please include the following information in your report:
+
+- **Description**: A clear description of the vulnerability
+- **Impact**: The potential impact and severity
+- **Steps to Reproduce**: Detailed steps to reproduce the issue
+- **Proof of Concept**: Any PoC code or examples (if applicable)
+- **Affected Versions**: Which versions are affected
+- **Suggested Fix**: If you have a suggested remediation (optional)
+
+### Security Scope
+
+We are particularly interested in vulnerabilities related to:
+
+- ✅ **Cryptographic Operations**: Kyber-1024, Dilithium3, key generation, encryption/decryption
+- ✅ **Steganographic Techniques**: LSB, DCT, Phase, Echo, Palette, Text, LSB-Audio
+- ✅ **Reed-Solomon Error Correction**: Encoding/decoding, shard recovery
+- ✅ **Archive Handling**: Zip slip, path traversal, malicious archives
+- ✅ **Input Validation**: Command injection, file path manipulation
+- ✅ **Memory Safety**: Buffer overflows, memory leaks, sensitive data exposure
+- ✅ **Side-Channel Attacks**: Timing attacks, cache attacks on cryptographic operations
+- ✅ **Authentication/Authorization**: Key management, access control
+
+### Out of Scope
+
+The following are generally **not** considered security vulnerabilities:
+
+- ❌ Vulnerabilities in dependencies (report to upstream projects)
+- ❌ Social engineering attacks
+- ❌ Denial of service through resource exhaustion (expected behavior for large files)
+- ❌ Issues in unsupported versions (< 0.7.0)
+- ❌ Theoretical attacks without practical exploitation
+
+## Responsible Disclosure Policy
+
+We follow a **90-day disclosure timeline**:
+
+1. **Day 0**: You report the vulnerability privately
+2. **Day 1-7**: We acknowledge receipt and begin investigation
+3. **Day 7-30**: We develop and test a fix
+4. **Day 30-60**: We prepare a security release
+5. **Day 60-90**: We coordinate disclosure with you
+6. **Day 90**: Public disclosure (or earlier if mutually agreed)
+
+### Credit and Recognition
+
+- We will credit you in the security advisory (unless you prefer to remain anonymous)
+- We maintain a [Security Hall of Fame](https://github.com/greysquirr3l/shadowforge/security/advisories) for responsible disclosures
+- Critical vulnerabilities may be eligible for recognition
+
+## Security Best Practices
+
+When using Shadowforge, follow these security guidelines:
+
+### Cryptographic Operations
+
+- ✅ **Always verify signatures** before trusting extracted data
+- ✅ **Use strong passphrases** for key derivation (20+ characters)
+- ✅ **Rotate keys regularly** for long-term deployments
+- ✅ **Securely store private keys** (use hardware security modules if possible)
+- ❌ **Never reuse keys** across different contexts
+
+### Steganographic Operations
+
+- ✅ **Use high-quality cover media** to minimize detectability
+- ✅ **Monitor capacity limits** to avoid overwriting critical data
+- ✅ **Validate extracted data** for corruption or tampering
+- ✅ **Use Reed-Solomon encoding** for error correction (30% redundancy recommended)
+- ❌ **Don't embed in compressed media** (JPEG quality > 85 recommended)
+
+### Archive Operations
+
+- ✅ **Validate archive contents** before extraction
+- ✅ **Extract to isolated directories** to prevent path traversal
+- ✅ **Scan archives for malware** before processing
+- ✅ **Limit archive sizes** to prevent resource exhaustion
+- ❌ **Never auto-extract untrusted archives**
+
+### Operational Security
+
+- ✅ **Run with least privilege** (don't use root/admin unless required)
+- ✅ **Use secure channels** for key exchange (never email keys)
+- ✅ **Audit all operations** in production environments
+- ✅ **Keep software updated** to the latest stable version
+- ❌ **Never log sensitive data** (keys, payloads, passphrases)
+
+## Security Audits
+
+Shadowforge undergoes regular security reviews:
+
+- **Code Reviews**: All cryptographic code is peer-reviewed
+- **Dependency Scanning**: Automated vulnerability scanning with `go list -m all | nancy sleuth`
+- **Static Analysis**: `go vet` and `golangci-lint` on every commit
+- **Penetration Testing**: Periodic security assessments (planned)
+
+## Known Security Considerations
+
+### Post-Quantum Cryptography
+
+- **Kyber-1024**: NIST standardized (FIPS 203) - secure against quantum attacks
+- **Dilithium3**: NIST standardized (FIPS 204) - quantum-resistant signatures
+- **Implementation**: Uses Cloudflare CIRCL library (audited)
+
+### Steganographic Detection
+
+- **Statistical Analysis**: LSB/DCT techniques detectable with RS/Chi-square analysis
+- **Mitigation**: Use high-quality media, stay under capacity limits, apply ±1 LSB matching
+- **Recommendation**: Combine multiple techniques with chaining for enhanced security
+
+### Reed-Solomon Error Correction
+
+- **Redundancy Trade-off**: Higher redundancy = better recovery but larger payload
+- **Recommendation**: 30% redundancy (3 parity shards per 10 data shards) for standard use
+- **Critical Data**: Use 50%+ redundancy for high-reliability requirements
+
+## Contact
+
+- **General Security**: <s0ma@protonmail.com> (if available)
+- **GitHub Security Advisories**: [Create Private Advisory](https://github.com/greysquirr3l/shadowforge/security/advisories/new)
+- **Project Maintainer**: [@greysquirr3l](https://github.com/greysquirr3l)
+
+---
+
+**Last Updated**: December 21, 2025
+**Version**: 0.7.5

internal/domain/crypto/events_test.go

@@ -0,0 +1,209 @@
+package crypto_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/greysquirr3l/shadowforge/internal/domain/crypto"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPayloadEncrypted_Event(t *testing.T) {
+	// Arrange
+	now := time.Now()
+	payloadID, _ := crypto.NewPayloadID("test-payload-123")
+	event := crypto.PayloadEncrypted{
+		PayloadID:   payloadID,
+		Algorithm:   crypto.Kyber1024,
+		EncryptedAt: now,
+	}
+
+	// Act & Assert - OccurredAt
+	assert.Equal(t, now, event.OccurredAt())
+
+	// Act & Assert - EventType
+	assert.Equal(t, "crypto.payload_encrypted", event.EventType())
+
+	// Assert implements DomainEvent interface
+	var _ crypto.DomainEvent = event
+}
+
+func TestPayloadDecrypted_Event(t *testing.T) {
+	// Arrange
+	now := time.Now()
+	payloadID, _ := crypto.NewPayloadID("test-payload-456")
+	event := crypto.PayloadDecrypted{
+		PayloadID:   payloadID,
+		DecryptedAt: now,
+	}
+
+	// Act & Assert - OccurredAt
+	assert.Equal(t, now, event.OccurredAt())
+
+	// Act & Assert - EventType
+	assert.Equal(t, "crypto.payload_decrypted", event.EventType())
+
+	// Assert implements DomainEvent interface
+	var _ crypto.DomainEvent = event
+}
+
+func TestPayloadSigned_Event(t *testing.T) {
+	// Arrange
+	now := time.Now()
+	payloadID, _ := crypto.NewPayloadID("test-payload-789")
+	event := crypto.PayloadSigned{
+		PayloadID: payloadID,
+		Algorithm: crypto.Dilithium3,
+		SignedAt:  now,
+	}
+
+	// Act & Assert - OccurredAt
+	assert.Equal(t, now, event.OccurredAt())
+
+	// Act & Assert - EventType
+	assert.Equal(t, "crypto.payload_signed", event.EventType())
+
+	// Assert implements DomainEvent interface
+	var _ crypto.DomainEvent = event
+}
+
+func TestSignatureVerified_Event(t *testing.T) {
+	tests := []struct {
+		name  string
+		valid bool
+	}{
+		{"valid signature", true},
+		{"invalid signature", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Arrange
+			now := time.Now()
+			payloadID, _ := crypto.NewPayloadID("test-payload-sig")
+			event := crypto.SignatureVerified{
+				PayloadID:  payloadID,
+				Valid:      tt.valid,
+				VerifiedAt: now,
+			}
+
+			// Act & Assert - OccurredAt
+			assert.Equal(t, now, event.OccurredAt())
+
+			// Act & Assert - EventType
+			assert.Equal(t, "crypto.signature_verified", event.EventType())
+
+			// Assert - Valid field
+			assert.Equal(t, tt.valid, event.Valid)
+
+			// Assert implements DomainEvent interface
+			var _ crypto.DomainEvent = event
+		})
+	}
+}
+
+func TestKeyPairGenerated_Event(t *testing.T) {
+	tests := []struct {
+		name      string
+		algorithm crypto.PQCAlgorithm
+	}{
+		{"Kyber1024", crypto.Kyber1024},
+		{"Dilithium3", crypto.Dilithium3},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Arrange
+			now := time.Now()
+			event := crypto.KeyPairGenerated{
+				Algorithm:   tt.algorithm,
+				GeneratedAt: now,
+			}
+
+			// Act & Assert - OccurredAt
+			assert.Equal(t, now, event.OccurredAt())
+
+			// Act & Assert - EventType
+			assert.Equal(t, "crypto.keypair_generated", event.EventType())
+
+			// Assert - Algorithm field
+			assert.Equal(t, tt.algorithm, event.Algorithm)
+
+			// Assert implements DomainEvent interface
+			var _ crypto.DomainEvent = event
+		})
+	}
+}
+
+func TestDomainEvents_Timestamps(t *testing.T) {
+	// Arrange
+	past := time.Now().Add(-1 * time.Hour)
+	future := time.Now().Add(1 * time.Hour)
+
+	tests := []struct {
+		name  string
+		event crypto.DomainEvent
+		time  time.Time
+	}{
+		{
+			"PayloadEncrypted",
+			crypto.PayloadEncrypted{EncryptedAt: past},
+			past,
+		},
+		{
+			"PayloadDecrypted",
+			crypto.PayloadDecrypted{DecryptedAt: future},
+			future,
+		},
+		{
+			"PayloadSigned",
+			crypto.PayloadSigned{SignedAt: past},
+			past,
+		},
+		{
+			"SignatureVerified",
+			crypto.SignatureVerified{VerifiedAt: future},
+			future,
+		},
+		{
+			"KeyPairGenerated",
+			crypto.KeyPairGenerated{GeneratedAt: past},
+			past,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Act
+			occurredAt := tt.event.OccurredAt()
+
+			// Assert
+			assert.Equal(t, tt.time, occurredAt,
+				"Event %s should return correct timestamp", tt.name)
+		})
+	}
+}
+
+func TestDomainEvents_TypeStrings(t *testing.T) {
+	tests := []struct {
+		event        crypto.DomainEvent
+		expectedType string
+	}{
+		{crypto.PayloadEncrypted{}, "crypto.payload_encrypted"},
+		{crypto.PayloadDecrypted{}, "crypto.payload_decrypted"},
+		{crypto.PayloadSigned{}, "crypto.payload_signed"},
+		{crypto.SignatureVerified{}, "crypto.signature_verified"},
+		{crypto.KeyPairGenerated{}, "crypto.keypair_generated"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.expectedType, func(t *testing.T) {
+			// Act
+			eventType := tt.event.EventType()
+
+			// Assert
+			assert.Equal(t, tt.expectedType, eventType,
+				"Event should return correct type string")
+		})
+	}
+}

pkg/version/VERSION

@@ -1 +1 @@
-0.6.0
+0.7.5