Add security and governance foundation

[Copilot]

Adds the standard security, contribution, and CI/CD infrastructure files required for an open-source C++20/JUCE project.

New files

• SECURITY.md — vulnerability reporting contact, scope (memory safety, plugin loading, supply chain, file system), and submodule integrity policy
• CONTRIBUTING.md — build requirements (CMake 3.21+, AppleClang 14+, macOS Monterey Intel), code standards, PR process, and plugin development constraints
• .github/dependabot.yml — weekly auto-updates for GitHub Actions dependencies; C++/CMake submodules flagged for manual review only
• .github/workflows/ci.yml — macOS build pipeline: checkout with submodules, CMake configure + build, ctest
• .github/workflows/codeql.yml — weekly C/C++ CodeQL analysis on Ubuntu with security-events: write

Security fix vs spec

ci.yml adds permissions: contents: read to the build job — absent from the original spec but required to avoid an unscoped GITHUB_TOKEN (CodeQL alert actions/missing-workflow-permissions).

CLAUDE.md and .github/copilot-instructions.md are untouched.

Original prompt

Overview

Add the security and governance foundation to the kindpath-q repository. kindpath-q is a C++20 application with a CMake build system, audio analysis engine, plugin architecture, and UI layer. It already has CLAUDE.md (40KB agent instructions for Claude Code) and a minimal copilot-instructions.md.

Do NOT modify CLAUDE.md or the existing copilot-instructions.md.

Files to Create

1. SECURITY.md

# Security Policy

kindpath-q is a desktop audio analysis application for KindPath Collective — a frequency field scientist and creative intelligence tool. Its codebase handles audio data and user authentication.

## Reporting a Vulnerability

**Do not open a public issue for security vulnerabilities.**

Email: security@kindpathcollective.org

We will acknowledge receipt within 48 hours and coordinate responsible disclosure.

## Scope

Security concerns relevant to this repository include:
- Memory safety issues in the C++ audio processing engine
- Authentication or credential handling vulnerabilities
- Plugin loading vulnerabilities (arbitrary code execution via malicious plugins)
- Supply chain issues in external submodules or CMake dependencies
- File system access outside expected audio file directories

## Supported Versions

| Branch | Supported |
|--------|-----------|
| `main` | ✅ Active |

## Submodule Integrity

This repository uses Git submodules (see `.gitmodules`). Ensure submodule commits are pinned to verified versions. Never update submodule pointers to unreviewed commits.

2. CONTRIBUTING.md

# Contributing to kindpath-q

kindpath-q is a C++20 audio analysis application — the frequency field scientist for KindPath. It maps acoustic signature, divergence, and resonance in creative works.

## Before You Contribute

Read [CLAUDE.md](./CLAUDE.md) for the detailed agent and development instructions. Read [KINDFIELD.md](https://github.com/S4mu3lD4v1d/KindField/blob/main/KINDFIELD.md) for the epistemological foundation.

## Build Requirements

- CMake 3.21+
- C++20 compiler (AppleClang 14+, GCC 12+, or MSVC 17.4+)
- macOS Monterey (Intel) is the primary target platform
- JUCE framework (included as submodule)

## Building

```bash
git clone --recurse-submodules https://github.com/KindPath-Collective/kindpath-q.git
cd kindpath-q
mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug
cmake --build . --parallel

Code Standards

• C++20 features encouraged (concepts, ranges, coroutines where appropriate)
• JUCE coding conventions for UI components
• Comprehensive error handling — no silent failures in audio processing
• Const correctness throughout
• RAII for resource management

Testing

cd build
ctest --output-on-failure

All new audio processing code must have unit tests. UI code should have at minimum a smoke test.

Pull Request Process

1. Ensure the build succeeds on macOS Monterey (Intel)
2. All tests pass (ctest)
3. No new compiler warnings
4. Describe: what changed, why, and what audio processing behaviour is affected

Plugin Development

When adding or modifying plugins (in plugins/):

• Document the plugin's audio processing algorithm
• Include parameter ranges and default values
• Plugins must not have side effects outside their designated audio buffers

### 3. `.github/dependabot.yml`

```yaml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
      - "github-actions"

  # Note: C++ / CMake / submodule dependencies require manual review.
  # Submodule updates should be done deliberately — see SECURITY.md for guidance.

4. .github/workflows/ci.yml

name: CI

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  build-macos:
    name: Build (macOS)
    runs-on: macos-latest

    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Install CMake
        uses: lukka/get-cmake@latest

      - name: Configure CMake
        run: |
          mkdir -p build
          cmake -B build -DCMAKE_BUILD_TYPE=Debug || echo "CMake configure step — review output for missing dependencies"

      - name: Build
        run: cmake --build build --parallel || echo "Build step — review output"

      - name: Run Tests
        working-directory: build
        run: ctest --output-on-failure || echo "No tests found or tests failed — review output"

5. .github/workflows/codeql.yml

name: CodeQL

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: "30 1 * * 0"

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ "c-cpp" ]

    steps:
      - name: Checkout repository
        uses: actions/...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.