diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..67232983 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,27 @@ +# Global fallback +* @v1truv1us + +# Core commands +/cmd/ @v1truv1us + +# Ritual system +/internal/ritual/ @v1truv1us + +# Time tracking +/internal/time/ @v1truv1us + +# Project detection +/internal/project/ @v1truv1us + +# Integrations (Git, Slack, Calendar) +/internal/integrations/ @v1truv1us + +# Configuration +/configs/ @v1truv1us + +# CI/CD +/.github/workflows/ @v1truv1us + +# Documentation +*.md @v1truv1us +SECURITY.md @v1truv1us diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 00000000..432decb4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,45 @@ +name: Bug Report +description: Report a bug in rune +title: "[Bug]: " +labels: ["bug", "triage"] +body: + - type: markdown + attributes: + value: | + Thanks for reporting a bug! + - type: input + id: version + attributes: + label: Version + placeholder: "0.1.0" + validations: + required: true + - type: dropdown + id: os + attributes: + label: OS + options: + - macOS + - Linux + - Windows + - type: textarea + id: description + attributes: + label: Bug Description + validations: + required: true + - type: textarea + id: reproduce + attributes: + label: Steps to Reproduce + placeholder: | + 1. rune start + 2. ... + validations: + required: true + - type: textarea + id: config + attributes: + label: Config + description: Relevant config from ~/.rune/config.yaml + render: yaml diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..2db12b98 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,16 @@ +## Description + +## Type +- [ ] Bug fix +- [ ] Feature +- [ ] Docs +- [ ] Refactor + +## Testing +- [ ] Tests pass (`make test`) +- [ ] Manual testing + +## Checklist +- [ ] Code follows style +- [ ] Tests cover changes +- [ ] CHANGELOG updated diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..cf69ebc6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,59 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 0.1.x | ✅ Yes (current) | +| < 0.1.0 | ❌ No | + +## Reporting a Vulnerability + +We take security seriously. If you discover a security vulnerability in Rune, please report it responsibly. + +### How to Report + +**Email:** security@v1truv1us.dev (or your preferred security contact) + +Please include: +- Description of the vulnerability +- Steps to reproduce +- Potential impact assessment +- Suggested fix (if any) + +### Response Timeline + +- **Acknowledgment:** Within 48 hours +- **Initial assessment:** Within 7 days +- **Fix timeline:** Target 90 days (or as negotiated for complex issues) +- **Disclosure:** Coordinated disclosure 14 days after fix release + +### Security Considerations for Rune + +Rune executes user-defined commands from YAML configuration. Key security concerns: + +1. **Command Execution:** Rune runs shell commands defined in rituals. Ensure: + - Only trusted configuration sources + - Sandboxing where possible + - Audit logging enabled + +2. **Environment Variables:** Rune may handle sensitive tokens. Ensure: + - No logging of env vars with secrets + - OS keychain integration for credentials + +3. **Network Access:** Git integrations and updates require network. Ensure: + - HTTPS for all external calls + - Certificate validation + +### Disclosure Policy + +We follow coordinated disclosure: +1. Reporter submits vulnerability +2. We acknowledge and assess +3. We develop and test fix +4. We release fix and credit reporter (with permission) +5. Public disclosure after grace period + +### Bug Bounty + +Rune does not currently offer a bug bounty program. We appreciate responsible disclosure and will credit researchers in our CHANGELOG.