Merge pull request #3 from madeinplutofabio/scaffold

v0.5.0: Protocol + Hardened Mode + Production Candidate

Author: madeinplutofabio

.github/SECURITY_ADVISORY_TEMPLATE.md

@@ -0,0 +1,79 @@
+# Security Advisory Template
+
+## Summary
+
+<!-- One-sentence description of the vulnerability -->
+
+## Affected Versions
+
+<!-- Which versions are affected? -->
+
+- 0.x.y and earlier
+
+## Affected Components
+
+<!-- Check all that apply -->
+
+- [ ] Executor (`csc_runner/executor.py`)
+- [ ] Sandbox (`csc_runner/sandbox.py`)
+- [ ] Signing (`csc_runner/signing.py`)
+- [ ] Approval (`csc_runner/approval.py`)
+- [ ] Policy (`csc_runner/policy.py`)
+- [ ] Path enforcement (`csc_runner/pathutil.py`)
+- [ ] Resource limits (`csc_runner/limits.py`)
+- [ ] CLI (`csc_runner/cli.py`)
+- [ ] Schemas
+- [ ] Dockerfile / container image
+
+## Affected Modes
+
+- [ ] Local mode
+- [ ] Hardened mode
+- [ ] Both
+
+## Severity
+
+<!-- Critical / High / Medium / Low — see SECURITY.md for rubric -->
+
+## Bounded Production Claim Impact
+
+<!-- Does this issue block or weaken the bounded production claim?
+     High/critical issues block the claim until resolved.
+     Medium issues require an explicit acceptance note. -->
+
+- [ ] Blocks bounded production claim
+- [ ] Weakens claim (requires acceptance note)
+- [ ] No impact on claim
+
+## Description
+
+<!-- Detailed description of the vulnerability, including root cause -->
+
+## Impact
+
+<!-- What can an attacker do? What is the blast radius? -->
+
+## Reproduction
+
+<!-- Steps to reproduce, proof of concept, or test case -->
+
+## Fix
+
+<!-- Description of the fix, PR reference -->
+
+## Mitigation
+
+<!-- Workarounds available before applying the fix -->
+
+## Regression Test
+
+<!-- Reference to the regression test added for this vulnerability.
+     Required before closing the advisory. -->
+
+- Test file: <!-- e.g. tests/test_adversarial.py, tests/test_executor.py -->
+- Test name: <!-- e.g. test_vuln_123_path_traversal_regression -->
+- [ ] Regression test merged
+
+## Credit
+
+<!-- Reporter attribution (unless they request anonymity) -->

.github/SECURITY_RELEASE_TEMPLATE.md

@@ -0,0 +1,39 @@
+# Security Release Notes Template
+
+## Release vX.Y.Z — Security Fix
+
+### Security
+
+#### [SEVERITY] — Brief title
+
+**Advisory:** GHSA-xxxx-xxxx-xxxx
+
+**Affected versions:** 0.x.y and earlier
+
+**Affected component(s):** <!-- e.g. sandbox, signing, executor -->
+
+**Affected mode:** <!-- local / hardened / both -->
+
+**Bounded production claim impact:** <!-- blocks claim / weakens claim / no impact -->
+
+**Description:**
+
+<!-- 2-3 sentence description of the vulnerability and its impact, suitable for public disclosure. Do not include exploitation details beyond what is needed for users to assess their exposure. -->
+
+**Fix:**
+
+<!-- Brief description of what was changed to fix the vulnerability. -->
+
+**Mitigation for users who cannot upgrade immediately:**
+
+<!-- Workarounds, if any. "No workaround; upgrade required." if none. -->
+
+**Regression test:** <!-- e.g. tests/test_adversarial.py::test_vuln_123 -->
+
+**Credit:** <!-- Reporter attribution, or "Reported internally" -->
+
+---
+
+### Other Changes
+
+<!-- Non-security changes in this release, if any. -->

.github/dependabot.yml

@@ -0,0 +1,47 @@
+# Dependabot configuration
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
+#
+# Notes:
+# - Docker entry watches root Dockerfile only. Add entries for subdirectory
+#   Dockerfiles if needed later.
+# - If update noise gets high, add groups to batch minor/patch updates.
+
+version: 2
+updates:
+  # Python dependencies (pip)
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "deps"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "ci"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+
+  # Docker
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "deps"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "docker"

.github/workflows/hardened-tests.yml

@@ -0,0 +1,81 @@
+name: Hardened Integration Tests
+
+on:
+  push:
+    branches: [main, scaffold]
+  pull_request:
+    branches: [main, scaffold]
+
+permissions:
+  contents: read
+
+# This workflow runs:
+# 1. Standard tests on Linux (ubuntu-latest) across Python versions.
+#    Full platform matrix (Windows, macOS) belongs in ci.yml.
+# 2. Hardened integration tests inside the Docker container.
+#    The outer container runs as root with --privileged and AppArmor
+#    disabled so bwrap can create namespaces and configure loopback.
+#    Running as root is a CI-only requirement — bwrap --unshare-net
+#    needs CAP_NET_ADMIN to set up loopback in its network namespace.
+#    The product Dockerfile runs as non-root (csc-runner).
+#    Network isolation is enforced and tested by bwrap --unshare-net
+#    inside the sandbox — the primary hardened-mode boundary.
+#
+# Action versions are not yet pinned to SHA — that is a Stage 3 Step C task.
+
+jobs:
+  standard-tests:
+    name: Standard Tests (Linux)
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Lint
+        run: |
+          ruff check .
+          ruff format --check .
+
+      - name: Run standard tests
+        run: python -m pytest --tb=short -q --ignore=tests/test_integration_hardened.py
+        timeout-minutes: 5
+
+  hardened-tests:
+    name: Hardened Integration Tests (Docker)
+    runs-on: ubuntu-latest
+    needs: standard-tests
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build hardened image
+        run: docker build -t csc-hardened .
+
+      - name: Verify sandbox tools available
+        run: |
+          docker run --rm --entrypoint bwrap csc-hardened --version
+          docker run --rm --entrypoint setpriv csc-hardened --version
+          docker run --rm --entrypoint prlimit csc-hardened --version
+
+      - name: Run hardened integration tests
+        run: |
+          docker run \
+            --rm \
+            --privileged \
+            --security-opt apparmor=unconfined \
+            --user 0 \
+            --entrypoint python \
+            -v ${{ github.workspace }}:/repo:ro \
+            -w /app \
+            csc-hardened \
+            -m pytest /repo/tests/test_integration_hardened.py -v --tb=short
+        timeout-minutes: 10