fix(security): SHA-pin all GitHub Actions in ci.yml for OpenSSF compliance

- Pin dtolnay/rust-toolchain to SHA (was @stable)
- Pin Swatinem/rust-cache to SHA (was @v2)
- Pin actions/upload-artifact to v4.6.2 SHA (was @v6)
- Update SECURITY.md with project-specific policy (was boilerplate)
- Update STATE.scm with session history

Author: claude

.github/workflows/ci.yml

@@ -21,8 +21,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
+      - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2
       - run: cargo check --workspace
 
   test:
@@ -32,8 +32,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
+      - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2
       - run: cargo test --workspace
 
   fmt:
@@ -43,7 +43,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
         with:
           components: rustfmt
       - run: cargo fmt --all -- --check
@@ -55,10 +55,10 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
         with:
           components: clippy
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2
       - run: cargo clippy --workspace -- -D warnings
 
   build:
@@ -68,10 +68,10 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
+      - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2
       - run: cargo build --release --workspace
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: conative-cli
           path: target/release/conative

SECURITY.md

@@ -2,20 +2,45 @@
 
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
 | Version | Supported          |
 | ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| 0.1.x   | :white_check_mark: |
+
+## Security Measures
+
+This project follows RSR (Rhodium Standard Repository) security practices:
+
+- **SHA-pinned GitHub Actions**: All workflow actions use commit SHA pins for supply chain security
+- **SPDX License Headers**: All source files contain SPDX license identifiers
+- **OpenSSF Scorecard Compliance**: Continuous security monitoring via OSSF Scorecard
+- **CodeQL Analysis**: Automated static analysis for security vulnerabilities
+- **Dependency Scanning**: Automated alerts via Dependabot and cargo-audit
+- **No Weak Cryptography**: SHA256+ required for security purposes (no MD5/SHA1)
+- **HTTPS Only**: All external URLs must use HTTPS
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
+If you discover a security vulnerability, please report it responsibly:
+
+1. **Do NOT** create a public GitHub issue for security vulnerabilities
+2. Email the maintainer at: jonathan.jewell@gmail.com
+3. Include:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact assessment
+   - Suggested fix (if any)
+
+### Response Timeline
+
+- **Initial Response**: Within 48 hours
+- **Triage**: Within 7 days
+- **Resolution**: Depending on severity
+  - Critical: Within 7 days
+  - High: Within 30 days
+  - Medium/Low: Within 90 days
+
+### Disclosure Policy
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+- We follow coordinated disclosure practices
+- Credit will be given to reporters in the security advisory (unless anonymity is requested)
+- Public disclosure after patch is released and users have reasonable time to update

STATE.scm

@@ -15,7 +15,7 @@
   '((version . "0.1.0")
     (schema-version . "1.0")
     (created . "2025-12-15")
-    (updated . "2025-12-15")
+    (updated . "2025-12-17")
     (project . "conative-gating")
     (repo . "github.com/hyperpolymath/conative-gating")))
 
@@ -151,6 +151,15 @@
 
 (define session-history
   '((snapshots
+     ((date . "2025-12-17")
+      (session . "scm-security-review")
+      (accomplishments
+       ("SHA-pinned all actions in ci.yml (dtolnay/rust-toolchain, Swatinem/rust-cache, actions/upload-artifact)"
+        "Updated SECURITY.md with project-specific policy (was boilerplate)"
+        "Verified all SCM files (ECOSYSTEM.scm, META.scm, STATE.scm)"
+        "Verified Nix flake configuration"
+        "Full OpenSSF Scorecard Pinned-Dependencies compliance"))
+      (notes . "Security audit and SCM review session"))
      ((date . "2025-12-15")
       (session . "security-fixes")
       (accomplishments
@@ -197,6 +206,6 @@
     (next-milestone . "v0.2 - Core Functionality")
     (critical-blockers . 0)
     (high-priority-issues . 0)
-    (updated . "2025-12-15")))
+    (updated . "2025-12-17")))
 
 ;;; End of STATE.scm