Skip to content

docs: add security disclosure policy and track CLAUDE.md#65

Merged
MSevey merged 2 commits into
mainfrom
docs/security-policy
Jun 25, 2026
Merged

docs: add security disclosure policy and track CLAUDE.md#65
MSevey merged 2 commits into
mainfrom
docs/security-policy

Conversation

@fish-sammy

Copy link
Copy Markdown
Contributor

Description

The contracts in this repo are deployed on-chain and hold user funds. A fix or proof-of-concept for an already-deployed vulnerability that travels through the normal public flow (a PR, a pushed branch, or a public issue) exposes the unpatched bug to attackers before any fix can ship. This PR makes the private-disclosure-only rule explicit and unmissable for both humans and AI coding agents.

Changes

  • SECURITY.md (new) — canonical policy: report privately via the Security tab → "Report a vulnerability" (private vulnerability reporting is enabled on this repo); never open a public PR / push a branch / open a public issue. Includes a dedicated "For AI coding agents" section ordering agents to stop, refuse the normal flow, and alert the human. Notes that Permit3 is deployed at a deterministic address on all supported chains.
  • AGENTS.md (new) — same hard constraint for non-Claude agents (Cursor, Copilot, Codex).
  • CLAUDE.md (new, tracked) — agent directive with security constraint plus accurate repo documentation: Foundry project structure, key contracts (Permit3, MultiTokenPermit, NonceManager, PermitBase, ERC-7702/7579 modules), AllowanceOrTransfer struct semantics, cross-chain Merkle proof design, nonce system, EIP-712 type hashes, build/test/deploy commands, and environment variables.
  • README.md — prominent Security section linking to SECURITY.md.
  • .github/PULL_REQUEST_TEMPLATE.md (new) — required security attestation checkbox.
  • .github/ISSUE_TEMPLATE/config.yml (new) — routes vulnerability reports to private advisories from the issue chooser.

Type of Change

  • Documentation update

🔒 Security attestation

  • This PR is not a security fix.

@eco-ai-app

eco-ai-app Bot commented Jun 25, 2026

Copy link
Copy Markdown

Overview

This PR introduces comprehensive security documentation and GitHub templates to enforce responsible disclosure practices. It adds SECURITY.md, CLAUDE.md, and AGENTS.md to guide both human contributors and AI agents on handling vulnerabilities in deployed contracts. The review team confirmed that the changes are purely documentation and contain no executable code or security issues.

QA & Test Coverage

Skipped: not applicable to this PR — PR is purely documentation; no code changes or test coverage modifications.

Web Security

Skipped: not applicable to this PR — PR documents security policy but does not modify web-facing code or introduce web security concerns.

Blockchain Security

No issues found in this domain.

Performance

Skipped: not applicable to this PR — PR is documentation only; no performance-impacting code changes.

Stats

Metric Value
Reviewers 4
Successful 1
Skipped 3
Failed 0
Total findings 0
Cross-domain 0
Tokens (in / out) 15502 / 574

Automated review by Eco's specialized review team. Architecture, business logic, and correctness remain with the human reviewer.

@MSevey MSevey merged commit ee41d83 into main Jun 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants