From b0571e48fa5934b7f26c73eb37af24222d18a147 Mon Sep 17 00:00:00 2001
From: Paolo Dettori <dettori@us.ibm.com>
Date: Fri, 13 Mar 2026 14:48:04 -0400
Subject: [PATCH 1/2] feat: add security governance (CODEOWNERS, SECURITY.md,
 .gitignore)

Establish security governance baseline:

- .github/CODEOWNERS: auto-review routing to @kagenti/maintainers
  for all files, with explicit ownership for src/, plugins/, .github/,
  and governance docs
- SECURITY.md: vulnerability reporting via GitHub Security Advisories,
  response timeline, supported versions, security controls table
  (trivy, dependabot, bandit, codeql, scorecard, SHA-pinned actions),
  and security-sensitive areas for reviewers
- .gitignore: add missing patterns:
  - .env.* and .env.local (credential files)
  - .vscode/ (VS Code workspace)
  - .idea/ (JetBrains IDEs, was commented out)
  - *.pem, *.key, *.p12, *.jks (TLS/crypto keys)
  - kubeconfig, *kubeconfig* (Kubernetes credentials)
  - credentials.*, secrets.* (generic secret files)

LICENSE (Apache 2.0) and CONTRIBUTING.md were already present.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
---
 .github/CODEOWNERS | 29 ++++++++++++++++++++++
 .gitignore         | 23 ++++++++++++-----
 SECURITY.md        | 62 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 108 insertions(+), 6 deletions(-)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 SECURITY.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..f49694b
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,29 @@
+# CODEOWNERS
+#
+# Defines code ownership for automatic review requests on pull requests.
+# Owners are notified when files in their area are changed.
+#
+# Syntax: <pattern> <owner> [<owner> ...]
+# Patterns follow .gitignore rules. Last matching rule wins.
+#
+# Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default: all maintainers review everything
+* @kagenti/maintainers
+
+# CI and developer tooling
+.github/ @kagenti/maintainers
+Makefile @kagenti/maintainers
+pyproject.toml @kagenti/maintainers
+.pre-commit-config.yaml @kagenti/maintainers
+
+# Core server implementation — highest impact changes
+src/ @kagenti/maintainers
+
+# Plugin framework and examples
+plugins/ @kagenti/maintainers
+
+# Documentation and governance
+*.md @kagenti/maintainers
+CODEOWNERS @kagenti/maintainers
+SECURITY.md @kagenti/maintainers
diff --git a/.gitignore b/.gitignore
index 285986c..57a214c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -135,6 +135,8 @@ celerybeat.pid
 
 # Environments
 .env
+.env.*
+.env.local
 .venv
 env/
 venv/
@@ -166,9 +168,18 @@ dmypy.json
 # Cython debug symbols
 cython_debug/
 
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+# PyCharm / JetBrains
+.idea/
+
+# VS Code
+.vscode/
+
+# Credentials and secrets
+*.pem
+*.key
+*.p12
+*.jks
+kubeconfig
+*kubeconfig*
+credentials.*
+secrets.*
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..53db650
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,62 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities through GitHub Security Advisories —
+**do NOT open public issues for security bugs**.
+
+**[Report a vulnerability →](https://github.com/kagenti/plugins-adapter/security/advisories/new)**
+
+Include:
+- A clear description of the vulnerability
+- Steps to reproduce
+- Potential impact assessment
+- Any suggested mitigations (optional)
+
+## Response Timeline
+
+| Stage | Target |
+|-------|--------|
+| Acknowledgment | Within 48 hours |
+| Initial assessment | Within 7 days |
+| Status update | Weekly until resolved |
+| Credit | In the security advisory (if desired) |
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| `main`  | ✅ |
+
+Older tagged releases receive security fixes on a best-effort basis.
+
+## Security Controls
+
+This repository implements the following security measures:
+
+| Control | Tool |
+|---------|------|
+| Dependency vulnerability scanning | Trivy (CRITICAL/HIGH on PRs) |
+| Dependency updates | Dependabot (weekly, all ecosystems) |
+| Python SAST | Bandit (HIGH severity blocks PRs) |
+| Code analysis | CodeQL (security-extended queries) |
+| Dockerfile lint | Hadolint |
+| Secret detection | Pre-commit hooks |
+| Supply chain | OpenSSF Scorecard (weekly), SHA-pinned actions |
+| License compliance | Dependency Review Action (GPL/AGPL blocked) |
+
+## Security-Sensitive Areas
+
+Changes to the following require extra scrutiny:
+
+- `src/server.py` — gRPC ext-proc server handling all traffic
+- `plugins/` — Plugin interface and example implementations
+- `.github/workflows/` — CI/CD pipeline
+- `Dockerfile` — Container image
+
+## Disclosure Policy
+
+We follow coordinated disclosure. Once a fix is available:
+1. A security advisory is published on GitHub
+2. A new release tag is pushed
+3. The advisory is made public (typically 7 days after the fix is released)

From 6fe9128de0bcaf67be8228d453e2453b3580803d Mon Sep 17 00:00:00 2001
From: Paolo Dettori <dettori@us.ibm.com>
Date: Fri, 13 Mar 2026 15:58:45 -0400
Subject: [PATCH 2/2] chore: use correct team name in CODEOWNERS

Replace @kagenti/maintainers with @kagenti/plugin-adapters-maintainers
per reviewer feedback.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
---
 .github/CODEOWNERS | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index f49694b..9478574 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -9,21 +9,21 @@
 # Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
 # Default: all maintainers review everything
-* @kagenti/maintainers
+* @kagenti/plugin-adapters-maintainers
 
 # CI and developer tooling
-.github/ @kagenti/maintainers
-Makefile @kagenti/maintainers
-pyproject.toml @kagenti/maintainers
-.pre-commit-config.yaml @kagenti/maintainers
+.github/ @kagenti/plugin-adapters-maintainers
+Makefile @kagenti/plugin-adapters-maintainers
+pyproject.toml @kagenti/plugin-adapters-maintainers
+.pre-commit-config.yaml @kagenti/plugin-adapters-maintainers
 
 # Core server implementation — highest impact changes
-src/ @kagenti/maintainers
+src/ @kagenti/plugin-adapters-maintainers
 
 # Plugin framework and examples
-plugins/ @kagenti/maintainers
+plugins/ @kagenti/plugin-adapters-maintainers
 
 # Documentation and governance
-*.md @kagenti/maintainers
-CODEOWNERS @kagenti/maintainers
-SECURITY.md @kagenti/maintainers
+*.md @kagenti/plugin-adapters-maintainers
+CODEOWNERS @kagenti/plugin-adapters-maintainers
+SECURITY.md @kagenti/plugin-adapters-maintainers