security: add bandit + semgrep scans and OpenSSF badge-ready policy docs

.github/workflows/ci.yml

@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -42,6 +45,16 @@ jobs:
       - name: Module boundary check
         run: uv run tach check
 
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - run: pip install semgrep
+      - run: semgrep scan --error --config=p/python --config=p/security-audit --config=p/owasp-top-ten src/
+
   test:
     runs-on: ubuntu-latest
     steps:

.pre-commit-config.yaml

@@ -29,3 +29,10 @@ repos:
         types: [python]
         pass_filenames: false
         verbose: true
+      - id: bandit
+        name: bandit (security scan, medium+)
+        entry: uv run bandit -r -ll src
+        language: system
+        types: [python]
+        pass_filenames: false
+        verbose: true

CHANGELOG.md

@@ -0,0 +1,43 @@
+# Changelog
+
+All notable changes to Monarch Forecast are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project aims to follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- Security scanning: bandit runs in pre-commit at medium+ severity; semgrep
+  runs in CI with the `p/python`, `p/security-audit`, and `p/owasp-top-ten`
+  rule packs.
+- `SECURITY.md` describing the private vulnerability reporting process.
+- `CONTRIBUTING.md` documenting the contribution, testing, and code-style
+  policy.
+
+### Changed
+
+- Hardened on-disk secret handling: session and cache files are created with
+  `0600` permissions atomically (no pre-`chmod` read window), reject symlinks
+  and non-regular files, and verify current-user ownership on open.
+- Flipped `src.data` and `src.forecast` layering so the forecast engine sits
+  above raw data fetching; enforced via `tach`.
+
+### Fixed
+
+- Skip update check when running without installed package metadata
+  (avoids spurious "update available" banners from source checkouts).
+- Honor credit-card amount overrides when the billing cycle has no charges.
+- Avoid empty-`Semantics` dismiss state; tolerate corrupt one-off amounts.
+- Accurate chart summary start balance; alerts live-region sync.
+
+## [0.1.0-alpha.1] — 2026-04-07
+
+Initial alpha release. Cash-flow forecasting for Monarch Money checking
+accounts, with recurring-transaction detection, credit-card payment
+estimation, low-balance alerts, manual one-off adjustments, and cross-platform
+desktop builds (macOS / Windows / Linux).
+
+[Unreleased]: https://github.com/rlorenzo/Monarch-Forecast/compare/v0.1.0-alpha.1...HEAD
+[0.1.0-alpha.1]: https://github.com/rlorenzo/Monarch-Forecast/releases/tag/v0.1.0-alpha.1

CONTRIBUTING.md

@@ -0,0 +1,52 @@
+# Contributing
+
+Thanks for your interest in contributing. Contributions of bug reports,
+features, documentation, and tests are welcome.
+
+## Reporting bugs and requesting features
+
+Open an issue at [GitHub Issues](https://github.com/rlorenzo/Monarch-Forecast/issues)
+and include:
+
+- What you expected to happen and what actually happened.
+- Steps to reproduce.
+- Your operating system and how you installed the project.
+- Relevant log output, if any.
+
+For security vulnerabilities, follow [SECURITY.md](SECURITY.md) instead — do
+not open a public issue.
+
+## Submitting changes
+
+1. Open an issue before investing significant time, so we can agree on scope
+   and approach.
+2. Fork the repository and create a branch from `main`.
+3. Set up your development environment — see the
+   [Development](README.md#development) section of the README.
+4. Install the pre-commit hooks: `uv run pre-commit install`. They mirror the
+   checks CI runs.
+5. Make your change, including tests (see below).
+6. Open a pull request against `main`. All CI checks must pass.
+
+## Testing
+
+Pull requests that change behavior should include tests. Bug fixes should
+include a regression test that fails without the fix.
+
+- Unit tests live in [tests/](tests/); mirror the source layout.
+- Mock external boundaries (network, OS keychain, third-party clients).
+- Prefer fixtures over shared mutable state.
+
+## Code style
+
+- Linting and type checking are enforced in CI and pre-commit. Fix all
+  findings before submitting.
+- Run the formatter before committing.
+- Keep public APIs documented and typed.
+
+## Commit messages
+
+- Use clear, imperative commit messages ("add X", "fix Y", not "added"
+  / "fixes").
+- Reference issues or PRs where relevant.
+- Keep unrelated changes in separate commits.