From 44aeeb495db08cbf7522a2f44de13a6063484594 Mon Sep 17 00:00:00 2001
From: Caleb Faruki <calebfaruki@hey.com>
Date: Thu, 19 Mar 2026 13:48:30 +0100
Subject: [PATCH 1/2] Add CodeQL scanning for GitHub Actions workflows

CodeQL's Rust support is minimal, but scanning Actions workflow
definitions satisfies the OpenSSF Scorecard SAST check. Runs in
parallel with test and audit after lint.
---
 .github/workflows/ci.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a9f00a1..83493f4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,3 +41,15 @@ jobs:
       - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  codeql:
+    needs: lint
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: github/codeql-action/init@603b797f8b14b413fe025cd935a91c16c4782713 # v3
+        with:
+          languages: actions
+      - uses: github/codeql-action/analyze@603b797f8b14b413fe025cd935a91c16c4782713 # v3
\ No newline at end of file

From 35a522d2fe2b1c1565ff80b39a22301f89cddd8b Mon Sep 17 00:00:00 2001
From: Caleb Faruki <calebfaruki@hey.com>
Date: Thu, 19 Mar 2026 13:55:21 +0100
Subject: [PATCH 2/2] Add SECURITY.md with vulnerability reporting policy

Defines private reporting via GitHub advisories, 48-hour acknowledgment,
90-day fix timeline with coordinated disclosure, and scope aligned to
the project's security invariants. Addresses OpenSSF Scorecard
Security-Policy check.
---
 SECURITY.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..170c700
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Do not open a public issue.** Instead, use [GitHub private vulnerability reporting](https://github.com/calebfaruki/airlock/security/advisories/new) to submit your report.
+
+Include: what you found, steps to reproduce, and which version you tested against.
+
+## Response
+
+You should receive an acknowledgment within 48 hours. Security fixes are prioritized over all other work. We aim to release a fix within 90 days of a confirmed report, coordinating public disclosure timing with the reporter.
+
+## Supported Versions
+
+Only the latest release receives security patches.
+
+## Scope
+
+Security issues include: socket permission bypass, command allowlist bypass, environment isolation escape, shell injection, credential leakage across profiles, and audit log tampering.
+
+Out of scope: denial of service via slow commands, feature requests, and issues in user-authored hooks or command overrides.