docs: add CONTRIBUTING + SECURITY, polish README#3
Merged
Conversation
- CONTRIBUTING.md — workflow, scope, and back-port policy for the public source mirror. Clarifies that canonical build lives in the monorepo and merged PRs are back-ported on each tagged release. - SECURITY.md — disclosure address (security@truealter.com), scope (provenance / x402 / discovery / auth / supply chain), and a summary of prior hardening (verify_at allowlist, https-only, wallet-agnostic signer, x402 policy gates). - README — CI + Node version badges; Docker usage section (primarily for Glama listing); Contributing and Security sections linking to the new meta files. - CHANGELOG — Unreleased section captures this pass. No code changes. No new runtime deps. Acted-By: ~blake Drafted-With: ~cc-opus-4-6 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
First-impression polish for the public source mirror.
CONTRIBUTING.md— workflow, scope, and the monorepo back-port policy so contributors know what happens after a PR merges here.SECURITY.md— disclosure address, scope (provenance / x402 / discovery / auth / supply chain), and a short summary of prior hardening already shipped (verify_at allowlist, https-only scheme, wallet-agnostic signer, x402 policy gates).README.md— CI + Node version badges; Docker usage section; Contributing and Security sections linking to the new meta files.CHANGELOG.md— Unreleased section.No code changes. No new runtime deps. Public repo is still the source mirror; canonical build remains in the monorepo.
Known drift flagged separately
Diff between this repo's
src/provenance.ts+tests/provenance.test.ts+tsup.config.tsand the monorepo copy shows the monorepo has additional hardening not yet mirrored here (JWKS size cap, origin+pathname cache key, userinfo-URL rejection, sourcemap-disabled). That sync is a separate PR — out of scope for this docs pass.Test plan
🤖 Generated with Claude Code