docs: strengthen public security signals

Author: tw93

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @tw93

.github/ISSUE_TEMPLATE/bug_report.md

@@ -10,6 +10,8 @@ assignees: ''
 
 A clear and concise description of what the bug is. We suggest using English for better global understanding.
 
+If you believe the issue may allow unsafe deletion, path validation bypass, privilege boundary bypass, or release/install integrity issues, do not file a public bug report. Report it privately using the contact details in `SECURITY.md`.
+
 ## Steps to reproduce
 
 1. Run command: `mo ...`

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,8 @@
 blank_issues_enabled: false
 contact_links:
+  - name: Private Security Report
+    url: mailto:hitw93@gmail.com?subject=Mole%20security%20report
+    about: Report a suspected vulnerability privately instead of opening a public issue
   - name: Telegram Community
     url: https://t.me/+GclQS9ZnxyI2ODQ1
     about: Join our Telegram group for questions and discussions

.github/dependabot.yml

@@ -4,8 +4,18 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+    reviewers:
+      - "tw93"
+    open-pull-requests-limit: 10
 
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+    reviewers:
+      - "tw93"
+    open-pull-requests-limit: 10

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Summary
+
+- Describe the change.
+
+## Safety Review
+
+- Does this change affect cleanup, uninstall, optimize, installer, remove, analyze delete, update, or install behavior?
+- Does this change affect path validation, protected directories, symlink handling, sudo boundaries, or release/install integrity?
+- If yes, describe the new boundary or risk change clearly.
+
+## Tests
+
+- List the automated tests you ran.
+- List any manual checks for high-risk paths or destructive flows.
+
+## Safety-related changes
+
+- None.

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main, dev]
+  schedule:
+    - cron: '17 3 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: go
+            build-mode: manual
+          - language: actions
+            build-mode: none
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+
+      - name: Set up Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
+        with:
+          go-version: "1.24.6"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended
+
+      - name: Build for CodeQL
+        if: matrix.build-mode == 'manual'
+        run: make build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'V*'
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build:
@@ -58,6 +58,10 @@ jobs:
     name: Publish Release
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      attestations: write
+      id-token: write
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -69,16 +73,32 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R bin/
 
+      - name: Generate release checksums
+        run: |
+          cd bin
+          mapfile -t release_files < <(find . -maxdepth 1 -type f -printf '%P\n' | sort)
+          if [[ ${#release_files[@]} -eq 0 ]]; then
+            echo "No release assets found"
+            exit 1
+          fi
+          sha256sum "${release_files[@]}" > SHA256SUMS
+          cat SHA256SUMS
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            bin/analyze-darwin-*
+            bin/status-darwin-*
+            bin/binaries-darwin-*.tar.gz
+            bin/SHA256SUMS
+
       - name: Create Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           name: ${{ github.ref_name }}
           files: bin/*
-          body: |
-            Release assets are ready.
-
-            Final curated release notes should be applied with `gh release edit` after workflow verification.
           generate_release_notes: false
           draft: false
           prerelease: false

.github/workflows/test.yml

@@ -52,6 +52,9 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
 
+      - name: Install tools
+        run: brew install bats-core
+
       - name: Check for unsafe rm usage
         run: |
           echo "Checking for unsafe rm patterns..."
@@ -86,3 +89,10 @@ jobs:
             exit 1
           fi
           echo "✓ No secrets found"
+
+      - name: Run high-risk path regression tests
+        env:
+          BATS_FORMATTER: tap
+          LANG: en_US.UTF-8
+          LC_ALL: en_US.UTF-8
+        run: bats tests/core_safe_functions.bats tests/purge.bats tests/installer.bats

README.md

@@ -74,10 +74,28 @@ mo purge --paths             # Configure project scan directories
 mo analyze /Volumes          # Analyze external drives only
 ```
 
+## Security & Safety Design
+
+Mole is a local system maintenance tool. Commands such as `clean`, `uninstall`, `purge`, `installer`, `remove`, and parts of `optimize` can perform destructive local operations.
+
+Mole is designed with safety-first defaults for local system maintenance.
+
+- Destructive operations are guarded by path validation, protected directory rules, conservative cleanup boundaries, and explicit confirmation where appropriate.
+- Mole prioritizes bounded cleanup over aggressive cleanup.
+- High-risk paths, sensitive data categories, system locations, and sudo flows have explicit protection boundaries.
+- When uncertainty exists, the tool should refuse, skip, or require stronger confirmation instead of widening deletion scope.
+- `mo analyze` is intentionally safer than cleanup flows for ad hoc deletion because it moves files to Trash through Finder instead of directly deleting them.
+- Release assets are published with SHA-256 checksums, curated safety notes, and GitHub artifact attestations.
+
+Review these documents before using high-risk commands:
+
+- [SECURITY.md](SECURITY.md)
+- [SECURITY_AUDIT.md](SECURITY_AUDIT.md)
+
 ## Tips
 
 - Video tutorial: Watch the [Mole tutorial video](https://www.youtube.com/watch?v=UEe9-w4CcQ0), thanks to PAPAYA 電腦教室.
-- Safety and logs: Deletions are permanent. Review with `--dry-run` first, and add `--debug` when needed. File operations are logged to `~/.config/mole/operations.log`. Disable with `MO_NO_OPLOG=1`. See [Security Audit](SECURITY_AUDIT.md).
+- Safety and logs: `clean`, `uninstall`, `purge`, `installer`, and `remove` are destructive. Review with `--dry-run` first, and add `--debug` when needed. File operations are logged to `~/.config/mole/operations.log`. Disable with `MO_NO_OPLOG=1`. Review [SECURITY.md](SECURITY.md) and [SECURITY_AUDIT.md](SECURITY_AUDIT.md).
 - Navigation: Mole supports arrow keys and Vim bindings `h/j/k/l`.
 
 ## Features in Detail

SECURITY.md

@@ -0,0 +1,76 @@
+# Security Policy
+
+Mole is a local system maintenance tool. It includes high-risk operations such as cleanup, uninstall, optimization, and artifact removal. We treat safety boundaries, deletion logic, and release integrity as security-sensitive areas.
+
+## Reporting a Vulnerability
+
+Please report suspected security issues privately.
+
+- Email: `hitw93@gmail.com`
+- Subject line: `Mole security report`
+
+Do not open a public GitHub issue for an unpatched vulnerability.
+
+If GitHub Security Advisories private reporting is enabled for the repository, you may use that channel instead of email.
+
+Include as much of the following as possible:
+
+- Mole version and install method
+- macOS version
+- Exact command or workflow involved
+- Reproduction steps or proof of concept
+- Whether the issue involves deletion boundaries, symlinks, sudo, path validation, or release/install integrity
+
+## Response Expectations
+
+- We aim to acknowledge new reports within 7 calendar days.
+- We aim to provide a status update within 30 days if a fix or mitigation is not yet available.
+- We will coordinate disclosure after a fix, mitigation, or clear user guidance is ready.
+
+Response times are best-effort for a maintainer-led open source project, but security reports are prioritized over normal bug reports.
+
+## Supported Versions
+
+Security fixes are only guaranteed for:
+
+- The latest published release
+- The current `main` branch
+
+Older releases may not receive security fixes. Users running high-risk commands should stay current.
+
+## What We Consider a Security Issue
+
+Examples of security-relevant issues include:
+
+- Path validation bypasses
+- Deletion outside intended cleanup boundaries
+- Unsafe handling of symlinks or path traversal
+- Unexpected privilege escalation or unsafe sudo behavior
+- Sensitive data removal that bypasses documented protections
+- Release, installation, update, or checksum integrity issues
+- Vulnerabilities in logic that can cause unintended destructive behavior
+
+## What Usually Does Not Qualify
+
+The following are usually normal bugs, feature requests, or documentation issues rather than security issues:
+
+- Cleanup misses that leave recoverable junk behind
+- False negatives where Mole refuses to clean something
+- Cosmetic UI problems
+- Requests for broader or more aggressive cleanup behavior
+- Compatibility issues without a plausible security impact
+
+If you are unsure whether something is security-relevant, report it privately first.
+
+## Security-Focused Areas in Mole
+
+The project pays particular attention to:
+
+- Destructive command boundaries
+- Path validation and protected-directory rules
+- Sudo and privilege boundaries
+- Symlink and path traversal handling
+- Sensitive data exclusions
+- Packaging, release artifacts, checksums, and update/install flows
+
+For the current technical design and known limitations, see [SECURITY_AUDIT.md](SECURITY_AUDIT.md).