chore: add GitHub security governance

.github/CODEOWNERS

@@ -0,0 +1,65 @@
+# CODEOWNERS for cachekit-py
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+#
+# These owners will be requested for review when someone opens a pull request
+# that modifies code that they own. Order matters - last matching pattern wins.
+
+# Default: repository maintainers own everything
+*                               @cachekit-io/maintainers
+
+# ─────────────────────────────────────────────────────────────────────────────
+# CRITICAL SECURITY PATHS
+# These require security team review for any changes
+# ─────────────────────────────────────────────────────────────────────────────
+
+# Rust core - memory safety, FFI boundaries, cryptography
+/rust/                          @cachekit-io/maintainers @cachekit-io/security
+
+# Security-critical Python modules
+/src/cachekit/serializers/      @cachekit-io/maintainers @cachekit-io/security
+/src/cachekit/reliability/      @cachekit-io/maintainers @cachekit-io/security
+
+# ─────────────────────────────────────────────────────────────────────────────
+# CI/CD AND RELEASE INFRASTRUCTURE
+# Changes here can compromise supply chain
+# ─────────────────────────────────────────────────────────────────────────────
+
+/.github/workflows/             @cachekit-io/maintainers @cachekit-io/security
+/.github/CODEOWNERS             @cachekit-io/maintainers
+/release-please-config.json     @cachekit-io/maintainers
+/.release-please-manifest.json  @cachekit-io/maintainers
+
+# ─────────────────────────────────────────────────────────────────────────────
+# BUILD AND DEPENDENCY CONFIGURATION
+# Supply chain attack surface
+# ─────────────────────────────────────────────────────────────────────────────
+
+/pyproject.toml                 @cachekit-io/maintainers
+/rust/Cargo.toml                @cachekit-io/maintainers @cachekit-io/security
+/rust/Cargo.lock                @cachekit-io/maintainers
+/.pre-commit-config.yaml        @cachekit-io/maintainers
+
+# ─────────────────────────────────────────────────────────────────────────────
+# SECURITY DOCUMENTATION
+# ─────────────────────────────────────────────────────────────────────────────
+
+/SECURITY.md                    @cachekit-io/maintainers @cachekit-io/security
+/.github/SECURITY.md            @cachekit-io/maintainers @cachekit-io/security
+
+# ─────────────────────────────────────────────────────────────────────────────
+# DOCUMENTATION
+# Lower barrier - docs team can approve
+# ─────────────────────────────────────────────────────────────────────────────
+
+/docs/                          @cachekit-io/maintainers
+/README.md                      @cachekit-io/maintainers
+/CHANGELOG.md                   @cachekit-io/maintainers
+
+# ─────────────────────────────────────────────────────────────────────────────
+# TESTS
+# Test changes generally safe, but fuzzing/security tests need security review
+# ─────────────────────────────────────────────────────────────────────────────
+
+/tests/                         @cachekit-io/maintainers
+/tests/security/                @cachekit-io/maintainers @cachekit-io/security
+/tests/fuzz/                    @cachekit-io/maintainers @cachekit-io/security

.github/dependabot.yml

@@ -0,0 +1,124 @@
+# Dependabot configuration for cachekit-py
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+
+registries:
+  # No private registries - all deps are public
+
+updates:
+  # ─────────────────────────────────────────────────────────────────────────
+  # GitHub Actions
+  # Keep CI/CD supply chain current
+  # ─────────────────────────────────────────────────────────────────────────
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Los_Angeles"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    reviewers:
+      - "cachekit-io/maintainers"
+    # Group minor/patch updates to reduce PR noise
+    groups:
+      actions-minor:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # ─────────────────────────────────────────────────────────────────────────
+  # Python (pip/uv)
+  # ─────────────────────────────────────────────────────────────────────────
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Los_Angeles"
+    commit-message:
+      prefix: "chore"
+    labels:
+      - "dependencies"
+      - "python"
+    reviewers:
+      - "cachekit-io/maintainers"
+    # Ignore pre-releases unless explicitly opted in
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-prerelease"]
+    # Group by type to reduce PR noise
+    groups:
+      # Security-sensitive dependencies get individual PRs
+      # (not grouped - we want to review each)
+      python-dev:
+        patterns:
+          - "pytest*"
+          - "ruff"
+          - "basedpyright"
+          - "faker"
+          - "hypothesis"
+        update-types:
+          - "minor"
+          - "patch"
+      python-runtime:
+        patterns:
+          - "redis*"
+          - "pydantic*"
+          - "tenacity"
+          - "prometheus-client"
+          - "psutil"
+        update-types:
+          - "minor"
+          - "patch"
+      python-serialization:
+        patterns:
+          - "blake3"
+          - "msgpack"
+          - "orjson"
+          - "xxhash"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # ─────────────────────────────────────────────────────────────────────────
+  # Rust (Cargo)
+  # ─────────────────────────────────────────────────────────────────────────
+  - package-ecosystem: "cargo"
+    directory: "/rust"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Los_Angeles"
+    commit-message:
+      prefix: "chore"
+    labels:
+      - "dependencies"
+      - "rust"
+    reviewers:
+      - "cachekit-io/maintainers"
+      - "cachekit-io/security"  # Rust deps affect memory safety
+    # Security-critical crates get individual attention
+    # cachekit-core is pinned exactly, so dependabot won't touch it
+    groups:
+      rust-dev:
+        patterns:
+          - "criterion"
+          - "proptest"
+          - "divan"
+          - "fastrand"
+          - "iai-callgrind"
+          - "pprof"
+          - "ctor"
+        update-types:
+          - "minor"
+          - "patch"

.github/pull_request_template.md

@@ -11,7 +11,35 @@ Why are these changes needed? What problem do they solve?
 - [ ] Bug fix (non-breaking)
 - [ ] New feature (non-breaking)
 - [ ] Breaking change
+- [ ] Performance improvement
 - [ ] Documentation update
+- [ ] Refactoring (no behavior change)
+- [ ] CI/CD or tooling change
+
+---
+
+## Security Checklist
+
+**For ALL PRs, verify:**
+
+- [ ] No secrets, credentials, or API keys in code or comments
+- [ ] No hardcoded sensitive data (use env vars or config)
+- [ ] User input is validated/sanitized where applicable
+- [ ] Error messages don't leak sensitive information
+
+**For PRs touching security-critical paths** (`/rust/`, `/src/cachekit/serializers/`, `/src/cachekit/reliability/`, workflows):
+
+- [ ] Changes reviewed by security team (@cachekit-io/security)
+- [ ] No new `unsafe` blocks without justification
+- [ ] Cryptographic code uses audited libraries (no custom crypto)
+- [ ] FFI boundaries maintain memory safety guarantees
+
+**For PRs adding/updating dependencies:**
+
+- [ ] Dependency is from trusted source with active maintenance
+- [ ] No known CVEs (`pip-audit` / `cargo-audit` clean)
+- [ ] License is compatible (MIT, Apache-2.0, BSD)
+- [ ] Justified: not adding unnecessary attack surface
 
 ---
 
@@ -38,6 +66,15 @@ Why are these changes needed? What problem do they solve?
 - [ ] Integration tests added/updated
 - [ ] Tests pass: `make test-critical`
 - [ ] No test regressions
+- [ ] For performance changes: Benchmark results attached
+
+---
+
+## Backward Compatibility
+
+- [ ] API is backward compatible OR breaking change is documented
+- [ ] No removal of public APIs without deprecation period
+- [ ] Migration path documented for breaking changes
 
 ---
 

.github/workflows/codeql.yml

@@ -0,0 +1,100 @@
+# CodeQL Static Application Security Testing (SAST)
+# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository
+#
+# Analyzes Python and Rust code for:
+# - Security vulnerabilities (injection, XSS, SSRF, etc.)
+# - Code quality issues
+# - Supply chain risks
+# - Common programming errors
+#
+# Results appear in GitHub Security tab and as PR annotations.
+
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly deep scan on Sunday at 3am UTC
+    - cron: "0 3 * * 0"
+  workflow_dispatch:
+    # Manual trigger for ad-hoc security analysis
+
+permissions:
+  contents: read
+  security-events: write  # Required for uploading SARIF results
+  actions: read           # Required for workflow status
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - python
+          # Note: Rust support is limited in CodeQL
+          # We rely on cargo-audit, cargo-deny, and Miri for Rust security
+        # CodeQL language config
+        # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Python setup for accurate analysis
+      - name: Set up Python
+        if: matrix.language == 'python'
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install Python dependencies
+        if: matrix.language == 'python'
+        run: |
+          python -m pip install --upgrade pip
+          # Install dependencies so CodeQL can analyze import resolution
+          pip install -e ".[data]" || pip install -e .
+
+      # Initialize CodeQL
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Use security-extended for maximum coverage
+          # Options: security-extended, security-and-quality
+          queries: security-extended
+          # Config file for custom queries (optional)
+          # config-file: .github/codeql/codeql-config.yml
+
+      # Autobuild attempts to build any compiled code
+      # For Python, this is largely a no-op but ensures imports resolve
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      # Run CodeQL analysis
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+          # Upload SARIF to GitHub Security tab
+          upload: true
+          # Also output SARIF for artifact storage
+          output: sarif-results
+
+      # Archive SARIF for audit trail
+      - name: Upload SARIF artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: codeql-sarif-${{ matrix.language }}
+          path: sarif-results
+          retention-days: 90

.github/workflows/release-please.yml

@@ -17,13 +17,23 @@ jobs:
       tag_name: ${{ steps.release.outputs.tag_name }}
       version: ${{ steps.release.outputs.version }}
     steps:
+      # Use GitHub App for token vending (avoids branch protection issues with GITHUB_TOKEN)
+      # If APP_ID/APP_PRIVATE_KEY not set, falls back to GITHUB_TOKEN
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        if: ${{ vars.USE_APP_TOKEN == 'true' }}
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Run release-please
         id: release
         uses: googleapis/release-please-action@v4
         with:
           manifest-file: .release-please-manifest.json
           config-file: release-please-config.json
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
 
   build-wheels:
     name: Build wheels (${{ matrix.target }})

.pre-commit-config.yaml

@@ -48,3 +48,20 @@ repos:
       - id: check-added-large-files
         args: [--maxkb=1000]
       - id: check-merge-conflict
+
+  # Secret scanning - prevent credential leaks
+  # Uses Yelp's detect-secrets with high entropy detection
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args:
+          - --baseline
+          - .secrets.baseline
+        exclude: |
+          (?x)^(
+            .*\.lock$|
+            .*\.sum$|
+            tests/fixtures/.*|
+            docs/.*\.md$
+          )$