security: SECURITY.md, Dependabot config, CodeQL scanning, CI workflow

Author: Douglas Jones

.github/dependabot.yml

@@ -0,0 +1,45 @@
+# Dependabot configuration for Codifide
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
+
+version: 2
+updates:
+  # Python package dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "python"
+    # Only flag security updates automatically — version bumps are low priority
+    # for a language runtime with no external runtime dependencies.
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
+
+  # Rust crate dependencies
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "rust"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "github-actions"

.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  test:
+    name: Python tests (${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.9", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install package
+        run: pip install -e ".[blob]"
+
+      - name: Run test suite
+        run: python3 -m pytest tests/ -q --tb=short
+
+      - name: Verify dispatch index is current
+        run: python3 -m codifide dispatch-index --check
+
+      - name: Verify capability manifest is current
+        run: |
+          python3 -m codifide capability > /tmp/live_manifest.json
+          python3 -c "
+          import json, sys
+          live = json.load(open('/tmp/live_manifest.json'))
+          checked = json.load(open('docs/capability-0.1.json'))
+          # Strip generator version for comparison (version changes on every release)
+          live.pop('generator', None)
+          checked.pop('generator', None)
+          if live != checked:
+              print('docs/capability-0.1.json is stale — regenerate with: python3 -m codifide capability > docs/capability-0.1.json')
+              sys.exit(1)
+          print('Capability manifest is current.')
+          "

.github/workflows/codeql.yml

@@ -0,0 +1,47 @@
+name: "CodeQL — Security scanning"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    # Run weekly on Monday at 08:00 UTC
+    - cron: "0 8 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: python
+            build-mode: none
+          - language: actions
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          # Queries: security-extended catches more than the default set.
+          # security-and-quality adds style/maintainability on top.
+          queries: security-extended
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

SECURITY.md

@@ -0,0 +1,63 @@
+# Security Policy
+
+## Supported versions
+
+| Version | Supported |
+|---------|-----------|
+| 4.x     | ✅ Current release — security fixes applied |
+| 3.x     | ⚠️ Critical fixes only |
+| < 3.0   | ❌ No longer supported |
+
+## Reporting a vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Use GitHub's private vulnerability reporting instead:
+1. Go to the [Security tab](https://github.com/codifide/codifide-programming-language/security)
+2. Click **"Report a vulnerability"**
+3. Fill in the details
+
+We will acknowledge receipt within **48 hours** and aim to provide a fix or
+mitigation within **14 days** for critical issues.
+
+## What counts as a security vulnerability
+
+- **Interpreter sandbox escapes** — a Codifide program that performs effects
+  not declared in its `effects {}` signature, bypassing the transitive effect
+  check
+- **Store integrity bypass** — a way to write to the symbol store without
+  hash verification, or to read bytes that do not match the declared identity
+- **Path traversal in `io.read` / `io.write`** — bypassing the `..` defense
+- **HTTPS enforcement bypass in `http.get` / `http.post`** — making HTTP
+  requests to non-HTTPS URLs
+- **Registry authentication bypass** — accessing `POST /symbols` without a
+  valid `REGISTRY_WRITE_TOKEN`
+- **Denial of service** — inputs that cause the interpreter to hang, exhaust
+  memory, or crash the host process
+
+## What does not count
+
+- Programs that produce wrong output due to a logic bug (use a regular issue)
+- Performance problems that do not constitute a DoS (use a regular issue)
+- Theoretical vulnerabilities without a proof of concept
+
+## Security design notes
+
+Codifide's security model is documented in the interpreter and store:
+
+- **Effect enforcement** is transitive and checked at module load, not at
+  runtime. A pure function cannot call an effectful one without the violation
+  being caught before any code executes.
+- **Content addressing** means the store cannot return different bytes under
+  the same identity — every read is hash-verified.
+- **The RPC server** binds to `127.0.0.1` only by default. It is not safe to
+  expose over a network without a reverse proxy with TLS and authentication.
+- **`io.read` and `io.write`** reject paths containing `..` before any
+  filesystem access.
+- **`http.get` and `http.post`** reject non-HTTPS URLs before any network
+  request.
+
+## Disclosure policy
+
+We follow coordinated disclosure. We will credit reporters in the release
+notes unless they prefer to remain anonymous.