chore(v0.3.1): add SECURITY.md / Sigstore attestations / pytest pythonpath / docs follow-up (#12)

Add the SECURITY.md the v0.1.1 CHANGELOG entry promised but never
landed. Includes supported-version table (0.3.x supported, older
unsupported), private reporting flow via GitHub Security Advisories,
acknowledgement / fix SLAs, and the in-scope / out-of-scope split.

Enable PEP 740 Sigstore attestations on PyPI publishes via
pypa/gh-action-pypi-publish@release/v1 with: attestations: true.
Downstream consumers can verify artifact provenance from 0.3.1
onwards without trust-on-first-use.

Set [tool.pytest.ini_options].pythonpath = ["src"] so contributors
running pytest immediately after a fresh clone do not hit the 17
KeyError failures that a stale system-installed wheel produces by
shadowing the source tree.

README pre-commit pin: v0.2.1 → v0.3.1 so pinning the example
actually gets R012 / R013 / R014. README testing section: replaced
"Aim for 45+ passing tests" with the current actual count (66) and
an enumeration of rules covered.

CHANGELOG v0.1.2: replaced placeholder [PR/discussion link] with the
concrete PR reference. CHANGELOG v0.1.1 SECURITY.md line corrected
with a parenthetical noting the file actually landed at 0.3.1.

No rule logic changed; this release is byte-identical to 0.3.0 in
behaviour. Consumers who already run 0.3.0 see no behavioural
difference, but gain Sigstore-attested artifacts and a working
pre-commit pin.

Author: hinanohart

.github/workflows/publish.yml

@@ -85,6 +85,8 @@ jobs:
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: true  # PEP 740 Sigstore attestation; downstream consumers can verify the artifact origin without trust-on-first-use.
         # No `password` or `user` — OIDC trusted publishing handles auth.
         # Configure the trusted publisher on PyPI before the first release
         # this workflow ships (see header comment for the one-time setup).

CHANGELOG.md

@@ -1,5 +1,48 @@
 # CHANGELOG — claude-memory-lint
 
+## v0.3.1 — 2026-05-09 (patch follow-up)
+
+### Added
+
+* `SECURITY.md` — disclosure policy, supported-version table, the
+  in-scope / out-of-scope list, and the hardening posture summary
+  (atomic write, `.bak` mode 600, `realpath` confinement, OIDC
+  publishing, privacy-scan + pre-commit secret scan). Earlier release
+  notes referenced an "updated `SECURITY.md`" before the file
+  actually existed; this release closes that gap and the relevant
+  CHANGELOG line has been corrected.
+* PEP 740 attestations on PyPI publishes via
+  `pypa/gh-action-pypi-publish@release/v1` `with: attestations: true`.
+  Starting from this release, downstream consumers can verify
+  artifact origin through Sigstore without trust-on-first-use.
+* `pyproject.toml` `[tool.pytest.ini_options].pythonpath = ["src"]`
+  so a fresh clone runs `pytest` cleanly without the editable install.
+  Without the line, contributors hit 17 `KeyError` failures because
+  the system-installed older wheel shadows the source tree; the
+  config change makes the source layout authoritative for the test
+  run.
+
+### Fixed
+
+* `README.md` pre-commit example: `rev: v0.2.1` → `rev: v0.3.1` so
+  pre-commit users actually pin a release that contains R012 / R013 /
+  R014.
+* `README.md` testing section: replaced "Aim for `45+` passing tests"
+  with the current actual suite size (66) and an enumeration of the
+  rules covered. The "aim" wording predated multiple rule additions
+  and had become misleading.
+* `CHANGELOG.md` v0.1.2 entry: replaced placeholder
+  `[PR/discussion link]` with the concrete PR reference.
+
+### Notes
+
+No rule logic changed in this release; the rule registry, the
+default-on/off matrix, and the CLI surface are byte-identical to
+`v0.3.0`. This is a documentation / CI / build-process patch only,
+so consumers who already run `v0.3.0` get no behavioural difference
+from upgrading — but they do gain Sigstore-attested artifacts and a
+working pre-commit pin.
+
 ## v0.3.0 — 2026-05-09 (minor)
 
 ### Added — three new rules from a second pollution-investigation wave
@@ -279,7 +322,8 @@ vocabulary-collision / opt-in-error-size) considered for this
 release were rejected during a 2-agent design review for being
 either user-specific symptom projections (not generalisable to the
 OSS user base) or implementations whose false-positive rate would
-overwhelm their signal — see [PR/discussion link] for the rationale.
+overwhelm their signal — see PR #4 (and adjacent design discussion)
+for the rationale and the rejected candidates list.
 The conservative outcome here is intentional: lint rules are easier
 to add than to retract, and v0.1.1 was already addressing 90%+ of
 the in-scope failure modes.
@@ -299,7 +343,10 @@ the in-scope failure modes.
   so CI integrations actually fail.
 - **CLI `_filter_rules`**: invalid rule names raise `ValueError`
   instead of silently disabling all rules.
-- **Atomic .bak**: tmpfile + replace, mode 600. SECURITY.md updated.
+- **Atomic .bak**: tmpfile + replace, mode 600. (`SECURITY.md` was
+  referenced here at the time of v0.1.1 hardening but the dedicated
+  policy document was not landed until `v0.3.1`; see that release for
+  the actual disclosure policy.)
 
 ## v0.1.0 — 2026-05-08
 

README.md

@@ -85,7 +85,7 @@ Add to your `.pre-commit-config.yaml`:
 ```yaml
 repos:
   - repo: https://github.com/hinanohart/claude-memory-lint
-    rev: v0.2.1
+    rev: v0.3.1
     hooks:
       - id: claude-memory-lint
         args: [check, --rule, R001, --rule, R002]
@@ -132,10 +132,11 @@ pip install -e .[dev]
 pytest -v
 ```
 
-Aim for `45+` passing tests covering parser edge cases (no
+The current suite is `66` tests covering parser edge cases (no
 frontmatter / unterminated frontmatter / inline lists / multi-line
-lists), per-rule positive and negative cases, the corpus rule, and the
-CLI front-end including JSON / SARIF reporters.
+lists), per-rule positive and negative cases for R001-R014, the
+corpus rules R007 and R011, and the CLI front-end including JSON /
+SARIF reporters.
 
 ## License
 

SECURITY.md

@@ -0,0 +1,97 @@
+# Security Policy
+
+## Supported versions
+
+`claude-memory-lint` ships fixes only on the latest minor line. Older
+minor releases receive no security backports — upgrade to the latest
+release to get fixes.
+
+| Version | Supported |
+| --- | --- |
+| `0.3.x` | ✅ |
+| `0.2.x` | ❌ — please upgrade |
+| `< 0.2` | ❌ — please upgrade |
+
+## Reporting a vulnerability
+
+**Please do not open a public GitHub issue for security problems.**
+Instead, file a private report through GitHub Security Advisories:
+
+1. Open the [repository Security tab](https://github.com/hinanohart/claude-memory-lint/security/advisories/new).
+2. Click **"Report a vulnerability"** and describe what you found —
+   reproduction steps, the affected version, and the impact you can
+   demonstrate.
+3. Maintainers acknowledge new advisories within **7 days**, and aim
+   to ship a fix within **30 days** of acknowledgement when the report
+   is reproducible. Reports that turn out to be wider issues (e.g.
+   upstream Python or runner bugs) are co-disclosed with the relevant
+   project on a coordinated timeline.
+
+If GitHub Security Advisories is unavailable for any reason, you may
+fall back to opening an issue titled "security: please contact me
+privately" without reproduction details, and a maintainer will reach
+out off-platform.
+
+## In scope
+
+We treat the following as security-relevant and welcome reports on
+them:
+
+* **Secret leakage by the linter itself** — any path through which a
+  matched secret literal reaches stdout, stderr, the JSON / SARIF
+  output, the `.bak` file, log files, or any error message. R009 has
+  defence-in-depth tests asserting the matched substring is never
+  written to user-facing output; a regression there is the most
+  serious class of bug this project can ship.
+* **Path-handling weaknesses** — any way to make `cml fix` write
+  outside the directory it was pointed at, follow symlinks into
+  unrelated trees, or overwrite files under a malicious target name.
+* **Backup-file leakage** — `.bak` files written by `cml fix` are
+  created with mode `600`. A regression that widens those permissions,
+  or that writes `.bak` files outside the corpus directory, is in
+  scope.
+* **Atomic-write regressions** — `cml fix` writes through tmpfile +
+  rename to avoid leaving a truncated file on `SIGKILL`. Any change
+  that observably leaves a half-written `.md` is in scope.
+* **Privacy regressions** — the `stats` command and JSON output deliberately
+  print only filenames, rule IDs, and counts. A change that leaks
+  body content into any non-`text` reporter is in scope.
+* **Supply-chain integrity of releases** — issues with the OIDC-based
+  PyPI publish workflow (see `.github/workflows/publish.yml`),
+  including any change that lets a non-`main` branch produce a
+  PyPI release, or that bypasses the test / lint / privacy-scan
+  gates that run before publication.
+
+## Out of scope
+
+* Dependency advisories on transitively-installed packages that are
+  development-only (e.g. `pytest`, `ruff`, `build`, `twine`). Report
+  those upstream; we will follow when a fix is released.
+* Lint findings that you disagree with. Open a regular issue for
+  rule-design feedback.
+* Theoretical attacks against secret patterns the linter does not
+  claim to detect. R009 enumerates the supported pattern set; expanding
+  it is enhancement work, not a security report.
+
+## Hardening posture
+
+Some defences are already in place and are exercised by the test
+suite or CI:
+
+* **No LLM API calls.** The linter is heuristic-only; matched content
+  never leaves the local machine.
+* **Atomic writes** for `cml fix` (`tmpfile + os.replace`).
+* **Mode 600** on `.bak` files and on the temp file used for atomic
+  replacement.
+* **`realpath` confinement** in path resolution for `cml fix` so
+  symlinks cannot redirect a write to an arbitrary tree (see
+  `src/cml/cli.py` and the corresponding unit tests).
+* **Privacy-scan workflow** runs on every PR; see
+  `.github/workflows/test.yml`. Catches token literals committed
+  alongside unrelated changes.
+* **Pre-commit secret scan** (`pre-commit-security` hook) runs on the
+  maintainer side as the last write-time gate before a commit lands
+  on this repository.
+* **OIDC-based PyPI publishing** with `attestations: true` (PEP 740)
+  starting at `0.3.1` — downstream installers can verify artifact
+  provenance without long-lived API tokens.

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "claude-memory-lint"
-version = "0.3.0"
+version = "0.3.1"
 description = "A lint for Claude Code memory directories — catches frontmatter rot, oversized files, and stop-word noise before it pollutes Claude's context."
 readme = "README.md"
 requires-python = ">=3.10"
@@ -46,6 +46,11 @@ packages = ["src/cml"]
 [tool.pytest.ini_options]
 addopts = "-ra -q --strict-markers"
 testpaths = ["tests"]
+# Resolve `src/` layout without requiring an editable install; new
+# contributors can run `pytest` immediately after cloning instead of
+# discovering the editable-install requirement through 17 mysterious
+# KeyError failures.
+pythonpath = ["src"]
 
 [tool.ruff]
 line-length = 100