feat: add security governance (CODEOWNERS, SECURITY.md, .gitignore hardening)

.github/CODEOWNERS

@@ -0,0 +1,29 @@
+# CODEOWNERS
+#
+# Defines code ownership for automatic review requests on pull requests.
+# Owners are notified when files in their area are changed.
+#
+# Syntax: <pattern> <owner> [<owner> ...]
+# Patterns follow .gitignore rules. Last matching rule wins.
+#
+# Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default: all maintainers review everything
+* @kagenti/plugin-adapters-maintainers
+
+# CI and developer tooling
+.github/ @kagenti/plugin-adapters-maintainers
+Makefile @kagenti/plugin-adapters-maintainers
+pyproject.toml @kagenti/plugin-adapters-maintainers
+.pre-commit-config.yaml @kagenti/plugin-adapters-maintainers
+
+# Core server implementation — highest impact changes
+src/ @kagenti/plugin-adapters-maintainers
+
+# Plugin framework and examples
+plugins/ @kagenti/plugin-adapters-maintainers
+
+# Documentation and governance
+*.md @kagenti/plugin-adapters-maintainers
+CODEOWNERS @kagenti/plugin-adapters-maintainers
+SECURITY.md @kagenti/plugin-adapters-maintainers

.gitignore

@@ -135,6 +135,8 @@ celerybeat.pid
 
 # Environments
 .env
+.env.*
+.env.local
 .venv
 env/
 venv/
@@ -166,9 +168,18 @@ dmypy.json
 # Cython debug symbols
 cython_debug/
 
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+# PyCharm / JetBrains
+.idea/
+
+# VS Code
+.vscode/
+
+# Credentials and secrets
+*.pem
+*.key
+*.p12
+*.jks
+kubeconfig
+*kubeconfig*
+credentials.*
+secrets.*

SECURITY.md

@@ -0,0 +1,62 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities through GitHub Security Advisories —
+**do NOT open public issues for security bugs**.
+
+**[Report a vulnerability →](https://github.com/kagenti/plugins-adapter/security/advisories/new)**
+
+Include:
+- A clear description of the vulnerability
+- Steps to reproduce
+- Potential impact assessment
+- Any suggested mitigations (optional)
+
+## Response Timeline
+
+| Stage | Target |
+|-------|--------|
+| Acknowledgment | Within 48 hours |
+| Initial assessment | Within 7 days |
+| Status update | Weekly until resolved |
+| Credit | In the security advisory (if desired) |
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| `main`  | ✅ |
+
+Older tagged releases receive security fixes on a best-effort basis.
+
+## Security Controls
+
+This repository implements the following security measures:
+
+| Control | Tool |
+|---------|------|
+| Dependency vulnerability scanning | Trivy (CRITICAL/HIGH on PRs) |
+| Dependency updates | Dependabot (weekly, all ecosystems) |
+| Python SAST | Bandit (HIGH severity blocks PRs) |
+| Code analysis | CodeQL (security-extended queries) |
+| Dockerfile lint | Hadolint |
+| Secret detection | Pre-commit hooks |
+| Supply chain | OpenSSF Scorecard (weekly), SHA-pinned actions |
+| License compliance | Dependency Review Action (GPL/AGPL blocked) |
+
+## Security-Sensitive Areas
+
+Changes to the following require extra scrutiny:
+
+- `src/server.py` — gRPC ext-proc server handling all traffic
+- `plugins/` — Plugin interface and example implementations
+- `.github/workflows/` — CI/CD pipeline
+- `Dockerfile` — Container image
+
+## Disclosure Policy
+
+We follow coordinated disclosure. Once a fix is available:
+1. A security advisory is published on GitHub
+2. A new release tag is pushed
+3. The advisory is made public (typically 7 days after the fix is released)