Skip to content

Commit 9bbb33b

Browse files
committed
chore: add Dependabot, SECURITY.md, MIGRATION.md
1 parent 79a3799 commit 9bbb33b

3 files changed

Lines changed: 264 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
version: 2
2+
updates:
3+
# Go modules
4+
- package-ecosystem: gomod
5+
directory: /
6+
schedule:
7+
interval: weekly
8+
day: monday
9+
open-pull-requests-limit: 10
10+
reviewers:
11+
- "@GrayCodeAI/maintainers"
12+
labels:
13+
- dependencies
14+
- go
15+
commit-message:
16+
prefix: "deps"
17+
include: scope
18+
19+
# GitHub Actions
20+
- package-ecosystem: github-actions
21+
directory: /
22+
schedule:
23+
interval: weekly
24+
day: monday
25+
open-pull-requests-limit: 5
26+
reviewers:
27+
- "@GrayCodeAI/maintainers"
28+
labels:
29+
- dependencies
30+
- ci
31+
commit-message:
32+
prefix: "ci"
33+
34+
# Docker
35+
- package-ecosystem: docker
36+
directory: /
37+
schedule:
38+
interval: weekly
39+
day: monday
40+
open-pull-requests-limit: 5
41+
reviewers:
42+
- "@GrayCodeAI/maintainers"
43+
labels:
44+
- dependencies
45+
- docker
46+
commit-message:
47+
prefix: "docker"

MIGRATION.md

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
# Migration Guide
2+
3+
## Upgrading to v0.1.1
4+
5+
### Breaking Changes
6+
7+
None. This is a backward-compatible release.
8+
9+
### New Features
10+
11+
- Added Dependabot for automated dependency updates
12+
- Added SECURITY.md for vulnerability reporting
13+
- Added performance benchmarks
14+
- Increased test coverage
15+
16+
### Upgrade Steps
17+
18+
```bash
19+
# Update CLI
20+
curl -fsSL https://gitant.io/install.sh | sh
21+
22+
# Update daemon
23+
docker pull ghcr.io/graycodeai/gitant-daemon:v0.1.1
24+
25+
# Update web
26+
docker pull ghcr.io/graycodeai/gitant-web:v0.1.1
27+
```
28+
29+
## Upgrading from v0.1.0 to v0.1.1
30+
31+
### Database
32+
33+
No schema changes. Existing data is compatible.
34+
35+
### Configuration
36+
37+
No configuration changes required.
38+
39+
### API
40+
41+
No breaking API changes.
42+
43+
## Upgrading from Pre-release to v0.1.0
44+
45+
### Breaking Changes
46+
47+
1. **CLI renamed**: `gitant``gt` (alias `gitant` still works)
48+
2. **MCP tools renamed**: All tools now use `gitant_` prefix
49+
3. **API endpoints**: Some endpoints moved to `/api/v1/` prefix
50+
51+
### Database Migration
52+
53+
```bash
54+
# Backup existing data
55+
cp -r ~/.gitant ~/.gitant.backup
56+
57+
# Run migration (if any)
58+
gitant migrate
59+
```
60+
61+
### Configuration Changes
62+
63+
```yaml
64+
# Old config
65+
daemon_url: http://localhost:7777
66+
67+
# New config (same, but documented)
68+
daemon_url: http://localhost:7777
69+
```
70+
71+
### API Changes
72+
73+
| Old Endpoint | New Endpoint |
74+
|--------------|--------------|
75+
| `/repos` | `/api/v1/repos` |
76+
| `/issues` | `/api/v1/repos/{id}/issues` |
77+
| `/prs` | `/api/v1/repos/{id}/prs` |
78+
79+
### MCP Tool Changes
80+
81+
All MCP tools now use `gitant_` prefix:
82+
83+
| Old Name | New Name |
84+
|----------|----------|
85+
| `list_repos` | `gitant_list_repos` |
86+
| `create_issue` | `gitant_create_issue` |
87+
| `open_pr` | `gitant_open_pr` |
88+
89+
## Rollback
90+
91+
If you need to rollback:
92+
93+
```bash
94+
# Restore from backup
95+
cp -r ~/.gitant.backup ~/.gitant
96+
97+
# Downgrade CLI
98+
curl -fsSL https://gitant.io/install.sh | sh -s -- --version v0.1.0
99+
```
100+
101+
## Support
102+
103+
If you encounter issues during migration:
104+
105+
1. Check the [FAQ](https://docs.gitant.io/faq)
106+
2. Search [GitHub Issues](https://github.com/GrayCodeAI/gitant-daemon/issues)
107+
3. Ask on [Discord](https://discord.gg/gitant)
108+
4. Email support@gitant.io

SECURITY.md

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
| Version | Supported |
6+
| ------- | ------------------ |
7+
| 0.1.x | :white_check_mark: |
8+
| < 0.1 | :x: |
9+
10+
## Reporting a Vulnerability
11+
12+
We take security seriously. If you discover a security vulnerability, please report it responsibly.
13+
14+
### How to Report
15+
16+
**DO NOT** open a public GitHub issue for security vulnerabilities.
17+
18+
Instead, please report them via email to: **security@gitant.io**
19+
20+
### What to Include
21+
22+
Please include the following in your report:
23+
24+
- Description of the vulnerability
25+
- Steps to reproduce
26+
- Potential impact
27+
- Suggested fix (if any)
28+
29+
### Response Timeline
30+
31+
- **Acknowledgment**: Within 24 hours
32+
- **Initial Assessment**: Within 72 hours
33+
- **Fix Development**: Within 7 days for critical, 30 days for others
34+
- **Public Disclosure**: After fix is released
35+
36+
### Bug Bounty
37+
38+
We offer bug bounties for critical vulnerabilities:
39+
40+
| Severity | Bounty |
41+
|----------|--------|
42+
| Critical (RCE, Auth Bypass) | $500-$2000 |
43+
| High (Data Leak, CSRF) | $200-$500 |
44+
| Medium (XSS, Info Disclosure) | $50-$200 |
45+
| Low (Minor Issues) | $25-$50 |
46+
47+
### Scope
48+
49+
The following are in scope:
50+
51+
- gitant-daemon
52+
- gitant-cli
53+
- gitant-mcp
54+
- gitant-web
55+
- Smart contracts (Solidity)
56+
57+
### Out of Scope
58+
59+
- Social engineering
60+
- Physical attacks
61+
- Denial of service
62+
- Third-party dependencies (report to them directly)
63+
64+
## Security Features
65+
66+
### Authentication
67+
- UCAN capability tokens
68+
- HTTP Signatures (RFC 9421)
69+
- OAuth2 integration
70+
- API key authentication
71+
- LDAP integration
72+
- TOTP 2FA
73+
74+
### Authorization
75+
- Role-based access control (RBAC)
76+
- Scoped UCAN capabilities
77+
- Repository-level permissions
78+
- Branch protection rules
79+
80+
### Data Protection
81+
- Encrypted secrets at rest
82+
- SHA-256 hashed API keys
83+
- Bcrypt password hashing
84+
- TLS encryption in transit
85+
86+
### Network Security
87+
- CORS validation
88+
- CSRF protection
89+
- Rate limiting
90+
- Input validation
91+
- SSRF protection
92+
- WebSocket origin validation
93+
94+
### Audit
95+
- Request logging
96+
- Activity tracking
97+
- Webhook notifications
98+
- Anomaly detection
99+
100+
## Security Contacts
101+
102+
- **Email**: security@gitant.io
103+
- **PGP Key**: [Available on request]
104+
105+
## Acknowledgments
106+
107+
We thank the following security researchers:
108+
109+
- (Be the first to report a vulnerability!)

0 commit comments

Comments
 (0)