chore: add SECURITY.md and harden .gitignore for public release

jiten-singh-shahi · jiten-singh-shahi · commit 8d12b4125edd · 2026-04-01T13:49:03.000-04:00
Add security vulnerability reporting policy. Extend .gitignore to
cover credential files (.pem, .key, credentials.json, .npmrc).
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,43 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| latest  | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Salesforce Claude Code (SCC), please report it responsibly.
+
+**Do not open a public issue for security vulnerabilities.**
+
+Instead, use one of these methods:
+
+1. **GitHub Security Advisories** (preferred): [Report a vulnerability](https://github.com/jiten-singh-shahi/salesforce-claude-code/security/advisories/new)
+2. **Email**: jitencseng@gmail.com — include "SCC Security" in the subject line
+
+### What to Include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### Response Timeline
+
+- **Acknowledgement**: Within 48 hours
+- **Assessment**: Within 7 days
+- **Fix**: Within 30 days for critical issues
+
+### Scope
+
+This policy covers:
+- SCC plugin code (agents, skills, hooks, scripts)
+- CLI tools (`npx scc`)
+- CI/CD pipeline configuration
+- Hook scripts that execute in user environments
+
+This policy does not cover:
+- Salesforce platform vulnerabilities (report to Salesforce directly)
+- Third-party dependencies (report to the upstream maintainer)
diff --git a/.gitignore b/.gitignore
@@ -10,9 +10,14 @@ dist/
 npm-debug.log*
 .env
 .env.local
+.env.*.local
 *.swp
 *.swo
 .idea/
 .vscode/settings.json
 .claude/
-workspace/
+workspace/
+*.pem
+*.key
+credentials.json
+.npmrc
