From 298876b6d23d5b490b083eed44b1cb7bd55c5c0a Mon Sep 17 00:00:00 2001
From: "Vitaly D." <netmin@pm.me>
Date: Mon, 8 Jun 2026 13:09:46 +0300
Subject: [PATCH] chore(repo): add public metadata and CI

Why:
- The repo audit identified missing public license, security, and CI metadata.
- Align the project with the nearby Signum public metadata shape while keeping this slice Rust-specific and minimal.
- GitHub's hosted runner uses a newer Clippy than the local toolchain, so CI also needs the existing LSP reader loop to satisfy current lint rules.

What changed:
- Added MIT license metadata and root LICENSE.
- Added public and internal security docs for reporting, trust boundaries, and sensitive surfaces.
- Added a pinned GitHub Actions CI workflow and shared deterministic test script.
- Linked the security/license files and CI script from README.
- Rewrote the LSP message reader loop as while-let to satisfy current Clippy without changing behavior.

Testing:
- bash scripts/run-deterministic-tests.sh
- bash -n scripts/run-deterministic-tests.sh
- GitHub Actions initial run observed; it failed before the Clippy compatibility fix.

Not tested:
- GitHub Actions hosted-runner execution after the amended fix is not observed yet.
- actionlint was not run because it is not installed locally.

Risk:
- narrow - CI may need further runner-specific adjustment after the next GitHub execution.
---
 .github/workflows/ci.yml           | 31 ++++++++++++++++++
 Cargo.toml                         |  1 +
 LICENSE                            | 21 ++++++++++++
 README.md                          | 12 +++++++
 SECURITY.md                        | 50 +++++++++++++++++++++++++++++
 docs/SECURITY.md                   | 51 ++++++++++++++++++++++++++++++
 scripts/run-deterministic-tests.sh |  9 ++++++
 src/core/lsp_bridge.rs             |  5 +--
 8 files changed, 176 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 LICENSE
 create mode 100644 SECURITY.md
 create mode 100644 docs/SECURITY.md
 create mode 100755 scripts/run-deterministic-tests.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..9d9d18f
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,31 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  deterministic-tests:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout
+        # pinned from actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+
+      - name: Tool versions
+        run: |
+          rustc --version
+          cargo --version
+          python3 --version
+
+      - name: Run deterministic tests
+        run: bash scripts/run-deterministic-tests.sh
diff --git a/Cargo.toml b/Cargo.toml
index ce30389..cc1d7fd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,6 +3,7 @@ name = "code-intel-kernel"
 version = "0.0.0"
 edition = "2021"
 description = "Local-first structural code intelligence kernel for agent evidence, repo maps, diagnostics, and typed memory."
+license = "MIT"
 publish = false
 
 [lib]
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d1fa314
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AI Engineering Lab - AgentOps Research
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
index 8f5976b..3f64353 100644
--- a/README.md
+++ b/README.md
@@ -64,4 +64,16 @@ cargo test
 cargo clippy -- -D warnings
 ```
 
+The CI workflow runs the deterministic check bundle:
+
+```bash
+bash scripts/run-deterministic-tests.sh
+```
+
+## Security and License
+
+- Security reporting policy: `SECURITY.md`
+- Internal security notes: `docs/SECURITY.md`
+- License: MIT, see `LICENSE`
+
 The project is intentionally small and read-only first. Prefer explicit evidence and structured warnings over guesses.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..ef91ffe
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,50 @@
+# Security policy
+
+Thanks for helping keep Code Intelligence Kernel and its users safe.
+
+This file is the public reporting policy.
+For internal trust-boundary notes and sensitive surfaces, see `docs/SECURITY.md`.
+
+## Supported versions
+
+Until Code Intelligence Kernel starts publishing an explicit support matrix, the
+**latest `main`** branch state and the **latest tagged release** are the primary
+supported lines for security fixes.
+
+Older releases may not receive patches.
+
+## Reporting a vulnerability
+
+Please **do not** open a public GitHub issue for suspected security problems.
+
+Instead:
+
+1. Use the private contact route listed on [skill7.dev](https://skill7.dev).
+2. Include the affected path, reproduction steps, impact, and any proposed fix.
+3. Share only the minimum reproduction needed to validate the issue.
+
+If you cannot reach maintainers privately, open a minimal public issue that asks
+for a private handoff **without** including exploit details, secrets, or proof of
+concept.
+
+## What to expect
+
+We will make a good-faith effort to:
+
+- acknowledge receipt within a reasonable time;
+- assess severity and affected versions;
+- coordinate remediation and disclosure timing where appropriate.
+
+## Scope reminders
+
+Security-sensitive areas include:
+
+- repository inspection and path-containment logic;
+- source slicing and LSP process boundaries;
+- Research Radar source collection and report normalization;
+- any change that widens what external providers or services receive.
+
+## Out of scope
+
+This policy is not a bug bounty program and does not create any right to
+compensation.
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
new file mode 100644
index 0000000..44c529e
--- /dev/null
+++ b/docs/SECURITY.md
@@ -0,0 +1,51 @@
+# Code Intelligence Kernel Security
+
+## Trust Boundaries
+
+- **Local deterministic boundary**: Rust CLI/library code under `src/`, fixture evaluation under `tests/`, and JSON contracts under `docs/`.
+- **Repository input boundary**: `inspect`, `impact`, `symbols`, `source-evidence`, and `source-context` read local repository files and must treat malformed or unsupported input as structured warnings.
+- **LSP process boundary**: `lsp-diagnostics` may start `rust-analyzer` and must keep requests read-only, bounded, path-contained, and unavailable-safe.
+- **Research Radar boundary**: `research-radar/bin/` may collect public-source metadata and must write only normalized reports/state, not raw payload dumps or runtime code.
+
+## Sensitive Surfaces
+
+| Surface | Why sensitive |
+| --- | --- |
+| `src/core/source_context.rs` | Returns source slices and enforces path containment, ignored paths, symlink, UTF-8, and size handling. |
+| `src/core/lsp_bridge.rs` | Starts and communicates with an external language-server process. |
+| `src/core/repo_graph.rs` | Reads manifests and workflow files from arbitrary repositories. |
+| `src/core/source_evidence.rs` | Assembles evidence candidates that downstream users could overinterpret as localization. |
+| `research-radar/bin/run_daily.py` | Performs public-source collection and records license/terms notes. |
+| `research-radar/bin/validate_reports.py` | Guards generated reports/state against raw payloads, oversized files, and obvious secret patterns. |
+| `.github/workflows/` | Controls automated validation on repository changes. |
+
+## Existing Controls
+
+- Runtime commands are read-only and must not mutate inspected repositories.
+- Missing evidence is represented explicitly instead of guessed.
+- `where-to-edit` remains `insufficient_evidence` until a dedicated localization gate passes.
+- SourceContext refuses path traversal, ignored/generated paths, symlinks, missing files, non-UTF8 files, and oversized slices with structured warnings.
+- LSP diagnostics has deterministic unavailable/path-safety eval cases and does not expose mutation-capable LSP methods.
+- Research Radar validation checks changed-path allowlists, JSON/JSONL validity, file size, and obvious secret patterns.
+
+## Secrets and Data Handling
+
+- Do not add real credentials, tokens, cookies, private keys, or sensitive PII to fixtures, reports, docs, prompts, or examples.
+- Do not commit raw external API payloads from Research Radar runs.
+- Do not widen external-service or provider data exposure without updating this document and the relevant contract docs.
+- Keep reports and diagnostics as evidence, not implementation triggers or edit instructions.
+
+## Security Review Triggers
+
+- Any change to path handling, ignored-path logic, symlink handling, or source slicing.
+- Any change to `src/core/lsp_bridge.rs` process lifecycle, timeout, request, or parsing behavior.
+- Any change that makes `where-to-edit`, SourceEvidence, SourceContext, or LSP output more localization-like.
+- Any change to Research Radar collection, validation, source config, or generated report/state boundaries.
+- Any CI workflow, dependency, install script, or public API change.
+
+## Minimum Security Evidence for Sensitive Changes
+
+- Add or update deterministic tests for security-relevant behavior changes.
+- Run the full deterministic test script before merge.
+- Update public contract docs when externally visible behavior changes.
+- Keep LSP, SourceContext, SourceEvidence, and Research Radar outputs explicit about limitations and missing evidence.
diff --git a/scripts/run-deterministic-tests.sh b/scripts/run-deterministic-tests.sh
new file mode 100755
index 0000000..97bd210
--- /dev/null
+++ b/scripts/run-deterministic-tests.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cargo fmt --check
+cargo test
+cargo clippy -- -D warnings
+cargo run --quiet -- eval-fixtures --json
+python3 research-radar/bin/validate_reports.py
+git diff --check
diff --git a/src/core/lsp_bridge.rs b/src/core/lsp_bridge.rs
index f9b17ca..07e1be3 100644
--- a/src/core/lsp_bridge.rs
+++ b/src/core/lsp_bridge.rs
@@ -527,10 +527,7 @@ fn wait_for_response(receiver: &mpsc::Receiver<Value>, id: u64, timeout: Duratio
 
 fn read_lsp_messages<R: Read>(reader: R, sender: mpsc::Sender<Value>) {
     let mut reader = BufReader::new(reader);
-    loop {
-        let Some(length) = read_content_length(&mut reader) else {
-            break;
-        };
+    while let Some(length) = read_content_length(&mut reader) {
         let mut body = vec![0; length];
         if reader.read_exact(&mut body).is_err() {
             break;