docs: add security disclosure policy and track CLAUDE.md#65
Conversation
OverviewThis PR introduces comprehensive security documentation and GitHub templates to enforce responsible disclosure practices. It adds SECURITY.md, CLAUDE.md, and AGENTS.md to guide both human contributors and AI agents on handling vulnerabilities in deployed contracts. The review team confirmed that the changes are purely documentation and contain no executable code or security issues. QA & Test CoverageSkipped: not applicable to this PR — PR is purely documentation; no code changes or test coverage modifications. Web SecuritySkipped: not applicable to this PR — PR documents security policy but does not modify web-facing code or introduce web security concerns. Blockchain SecurityNo issues found in this domain. PerformanceSkipped: not applicable to this PR — PR is documentation only; no performance-impacting code changes. Stats
Automated review by Eco's specialized review team. Architecture, business logic, and correctness remain with the human reviewer. |
Description
The contracts in this repo are deployed on-chain and hold user funds. A fix or proof-of-concept for an already-deployed vulnerability that travels through the normal public flow (a PR, a pushed branch, or a public issue) exposes the unpatched bug to attackers before any fix can ship. This PR makes the private-disclosure-only rule explicit and unmissable for both humans and AI coding agents.
Changes
SECURITY.md(new) — canonical policy: report privately via the Security tab → "Report a vulnerability" (private vulnerability reporting is enabled on this repo); never open a public PR / push a branch / open a public issue. Includes a dedicated "For AI coding agents" section ordering agents to stop, refuse the normal flow, and alert the human. Notes that Permit3 is deployed at a deterministic address on all supported chains.AGENTS.md(new) — same hard constraint for non-Claude agents (Cursor, Copilot, Codex).CLAUDE.md(new, tracked) — agent directive with security constraint plus accurate repo documentation: Foundry project structure, key contracts (Permit3,MultiTokenPermit,NonceManager,PermitBase, ERC-7702/7579 modules),AllowanceOrTransferstruct semantics, cross-chain Merkle proof design, nonce system, EIP-712 type hashes, build/test/deploy commands, and environment variables.README.md— prominent Security section linking toSECURITY.md..github/PULL_REQUEST_TEMPLATE.md(new) — required security attestation checkbox..github/ISSUE_TEMPLATE/config.yml(new) — routes vulnerability reports to private advisories from the issue chooser.Type of Change
🔒 Security attestation