From d72bcb4ad5644982b915eba1487ce835799dd305 Mon Sep 17 00:00:00 2001
From: Paolo Dettori <dettori@us.ibm.com>
Date: Fri, 13 Mar 2026 14:14:57 -0400
Subject: [PATCH] feat: add security governance (CODEOWNERS, SECURITY.md,
 CONTRIBUTING.md, .gitignore)

Add security governance baseline for agent-toolkit:
- .github/CODEOWNERS with kagenti team ownership
- SECURITY.md with vulnerability reporting via GitHub Security Advisories
- CONTRIBUTING.md with development setup, PR process, DCO sign-off
- .gitignore hardened with secrets, credentials, IDE, and OS patterns

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
---
 .github/CODEOWNERS | 10 +++++++
 .gitignore         | 19 +++++++++++++
 CONTRIBUTING.md    | 68 ++++++++++++++++++++++++++++++++++++++++++++++
 SECURITY.md        | 37 +++++++++++++++++++++++++
 4 files changed, 134 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..e1efe7d
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,10 @@
+# Default owners for everything
+* @kagenti/maintainers
+
+# Platform and CI
+.github/ @kagenti/platform
+Makefile @kagenti/platform
+
+# Documentation
+docs/ @kagenti/maintainers
+*.md @kagenti/maintainers
diff --git a/.gitignore b/.gitignore
index b7faf40..fd80067 100644
--- a/.gitignore
+++ b/.gitignore
@@ -205,3 +205,22 @@ cython_debug/
 marimo/_static/
 marimo/_lsp/
 __marimo__/
+
+# Secrets and credentials
+.env.*
+.env.local
+*.key
+*.pem
+*.p12
+*.jks
+credentials.*
+secrets.*
+*kubeconfig*
+
+# IDE
+.idea/
+.vscode/
+
+# OS files
+.DS_Store
+Thumbs.db
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..87636be
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,68 @@
+# Contributing to Agent Toolkit
+
+We are grateful for your interest in joining the Kagenti community and making
+a positive impact. Whether you're raising issues, enhancing documentation,
+fixing bugs, or developing new features, your contributions are essential to
+our success.
+
+## Development Setup
+
+1. Clone the repository:
+
+   ```bash
+   git clone https://github.com/kagenti/agent-toolkit.git
+   cd agent-toolkit
+   ```
+
+2. Install pre-commit hooks:
+
+   ```bash
+   pip install pre-commit
+   make install-hooks
+   ```
+
+3. Run linting:
+
+   ```bash
+   make lint
+   ```
+
+## Pull Request Process
+
+1. Fork the repository
+2. Create a feature branch from `main`
+3. Make your changes with tests
+4. Run pre-commit hooks: `pre-commit run --all-files`
+5. Submit a pull request
+
+Smaller pull requests are typically easier to review and merge. If your pull
+request is large, collaborate with the maintainers to find the best way to
+divide it.
+
+## Commit Messages
+
+Use conventional commit format:
+
+- `feat:` New features
+- `fix:` Bug fixes
+- `docs:` Documentation changes
+- `chore:` Maintenance tasks
+- `refactor:` Code refactoring
+- `test:` Adding or updating tests
+
+## Certificate of Origin
+
+All commits **must** include a `Signed-off-by` trailer (Developer Certificate
+of Origin). Use the `-s` flag when committing:
+
+```bash
+git commit -s -m "feat: add new feature"
+```
+
+By contributing to this project you agree to the
+[Developer Certificate of Origin](https://developercertificate.org/) (DCO).
+
+## Licensing
+
+Agent Toolkit is [Apache 2.0 licensed](LICENSE) and we accept contributions
+via GitHub pull requests.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..1be9d9c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,37 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security issue,
+please report it responsibly.
+
+### How to Report
+
+1. **Do NOT create public GitHub issues** for security vulnerabilities
+2. **Email**: Report vulnerabilities privately via GitHub Security Advisories
+   - Go to the [Security tab](../../security/advisories/new) and create a new advisory
+3. **Include**: A clear description of the vulnerability, steps to reproduce,
+   and potential impact
+
+### What to Expect
+
+- We will acknowledge receipt within 48 hours
+- We aim to provide an initial assessment within 7 days
+- We will keep you informed of our progress
+- We will credit you in the security advisory (if desired)
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| main    | :white_check_mark: |
+
+## Security Measures
+
+This project implements several security controls:
+
+- **CI/CD Security**: All workflows use explicit least-privilege permissions
+- **Dependency Scanning**: Automated vulnerability scanning via Trivy and Dependabot
+- **Code Analysis**: CodeQL with `security-extended` queries
+- **Supply Chain**: All GitHub Actions SHA-pinned, OpenSSF Scorecard monitoring
+- **Pre-commit Hooks**: Ruff linting and formatting checks