docs(repo): add security reporting and issue routing (#769)

This commit is contained in:
Kai (Tam Nhu) Tran
2026-03-23 09:51:33 -04:00
committed by GitHub
parent 8e90404774
commit 185f7f469e
8 changed files with 128 additions and 10 deletions
+2 -2
View File
@@ -31,9 +31,9 @@ This applies to project spaces, including:
Maintainers may edit or remove content, lock conversations, close threads, reject contributions, or block participants when needed to protect the project and contributors.
For non-sensitive concerns, open a GitHub Discussion or issue.
For non-sensitive concerns, use the public issue templates.
For sensitive concerns, do not post details publicly. Ask a maintainer for a private reporting path first and keep the initial message minimal.
For sensitive concerns, do not post details publicly. Use the private reporting path in `SECURITY.md`.
## Practical Rule
+2
View File
@@ -9,6 +9,8 @@ body:
value: |
Thanks for reporting this. Use as much of this template as you can.
A partial but useful report is better than no report.
If this is a suspected security vulnerability, do not file it publicly. Use the private reporting path in `SECURITY.md`.
- type: dropdown
id: area
attributes:
+7 -4
View File
@@ -1,5 +1,8 @@
blank_issues_enabled: true
blank_issues_enabled: false
contact_links:
- name: Questions and discussion
url: https://github.com/kaitranntt/ccs/discussions
about: Use Discussions for open-ended questions, support requests, and idea shaping.
- name: Private security report
url: https://github.com/kaitranntt/ccs/security/advisories/new
about: Report suspected vulnerabilities privately. Do not open public issues for security reports.
- name: Documentation hub
url: https://docs.ccs.kaitran.ca
about: Installation, provider guides, CLI reference, and troubleshooting.
+1 -1
View File
@@ -60,5 +60,5 @@ body:
attributes:
label: Before submitting
options:
- label: I searched existing issues and discussions first.
- label: I searched existing issues and docs first.
- label: This request describes a concrete user problem, not just a broad idea dump.
+58
View File
@@ -0,0 +1,58 @@
name: Question
description: Ask for setup help, usage clarification, or behavior explanation when docs do not answer it.
title: "question: "
labels:
- question
body:
- type: markdown
attributes:
value: |
Questions are welcome.
If this is a suspected security vulnerability, stop here and use the private reporting path in `SECURITY.md` instead of posting details publicly.
- type: dropdown
id: area
attributes:
label: Topic
options:
- Installation or setup
- CLI usage
- Dashboard or config
- Provider or auth flow
- API profiles or proxy
- Contributor workflow
- Other
- type: textarea
id: question
attributes:
label: What do you need help with?
placeholder: I expected `ccs ...` to do ..., but I am not sure whether I configured it correctly.
validations:
required: true
- type: textarea
id: context
attributes:
label: Context
description: Include what you tried, what docs you checked, and what blocked you.
- type: input
id: version
attributes:
label: CCS version
description: Output of `ccs --version`, if you have it
placeholder: 7.56.0
- type: dropdown
id: os
attributes:
label: Operating system
options:
- macOS
- Linux
- Windows
- Other
- type: checkboxes
id: checks
attributes:
label: Before submitting
options:
- label: I checked the docs and existing issues first.
- label: This is not a private security disclosure.
+13 -1
View File
@@ -9,6 +9,7 @@ CCS is a Bun + TypeScript CLI with a React dashboard. This guide is the shortest
- Open PRs against `dev`.
- Use conventional commits.
- If you change user-facing behavior, update the docs that describe it.
- Suspected security vulnerabilities do not go through public issues. Use [SECURITY.md](./SECURITY.md).
If you are new to the project, start with a docs fix, a focused bug fix, or an issue labeled `good first issue`.
@@ -191,10 +192,21 @@ Releases are automated with semantic-release.
- Merges to `main` publish the `@latest` channel.
- Do not manually bump versions, create tags, or run manual `npm publish`.
## Security Reporting
If you think you found a security vulnerability, do not open a public GitHub issue.
Use the private reporting path in [SECURITY.md](./SECURITY.md):
- https://github.com/kaitranntt/ccs/security/advisories/new
Public issues are fine for normal bugs, regressions, docs problems, and feature requests. They are not fine for exploit details, leaked credentials, or anything that could put users at risk before a fix ships.
## Need Help?
- Bugs and features: https://github.com/kaitranntt/ccs/issues
- Questions and discussion: https://github.com/kaitranntt/ccs/discussions
- Questions: https://github.com/kaitranntt/ccs/issues/new/choose
- Security reports: https://github.com/kaitranntt/ccs/security/advisories/new
- Hosted docs: https://docs.ccs.kaitran.ca
- User-facing docs: [README.md](./README.md)
- Internal architecture notes: [docs/](./docs)
+9 -2
View File
@@ -32,6 +32,13 @@ Run Claude, Gemini, GLM, and any Anthropic-compatible API - concurrently, withou
Looking for the full setup guide, command reference, provider guides, or troubleshooting?
Start at **https://docs.ccs.kaitran.ca**.
## Contribute And Report Safely
- Contributing guide: [CONTRIBUTING.md](./CONTRIBUTING.md)
- Starter work: [good first issue](https://github.com/kaitranntt/ccs/labels/good%20first%20issue), [help wanted](https://github.com/kaitranntt/ccs/labels/help%20wanted)
- Questions: [open a question issue](https://github.com/kaitranntt/ccs/issues/new/choose)
- Security reports: [SECURITY.md](./SECURITY.md) and the [private advisory form](https://github.com/kaitranntt/ccs/security/advisories/new)
### 1. Install
```bash
@@ -665,7 +672,7 @@ bun remove -g @kaitranntt/ccs
## Contributing
See [CONTRIBUTING.md](./CONTRIBUTING.md).
See [CONTRIBUTING.md](./CONTRIBUTING.md). For suspected vulnerabilities, use [SECURITY.md](./SECURITY.md) instead of a public issue.
<br>
@@ -683,6 +690,6 @@ MIT License - see [LICENSE](LICENSE).
---
**[ccs.kaitran.ca](https://ccs.kaitran.ca)** | **[docs.ccs.kaitran.ca](https://docs.ccs.kaitran.ca)** | [Report Issues](https://github.com/kaitranntt/ccs/issues) | [Star on GitHub](https://github.com/kaitranntt/ccs)
**[ccs.kaitran.ca](https://ccs.kaitran.ca)** | **[docs.ccs.kaitran.ca](https://docs.ccs.kaitran.ca)** | [Issue Templates](https://github.com/kaitranntt/ccs/issues/new/choose) | [Private Security Report](https://github.com/kaitranntt/ccs/security/advisories/new) | [Star on GitHub](https://github.com/kaitranntt/ccs)
</div>
+36
View File
@@ -0,0 +1,36 @@
# Security Policy
## Supported Versions
Security fixes are applied to the latest supported release line and the active development branch.
| Branch / channel | Status |
| --- | --- |
| `main` / `@latest` | Supported |
| `dev` / `@dev` | Supported |
| Older releases | Best effort only |
## Report A Vulnerability
Do not open public GitHub issues for suspected security vulnerabilities.
Use GitHub Private Vulnerability Reporting instead:
- https://github.com/kaitranntt/ccs/security/advisories/new
Include:
- A short description of the issue
- Affected version, branch, or install method
- Reproduction steps or proof of concept
- Impact assessment if you have one
Please avoid posting tokens, cookies, private configs, or exploit details in public issues, discussions, or screenshots.
## What To Expect
- Initial acknowledgement target: within 3 business days
- Triage and severity assessment after reproduction
- A coordinated fix and release when the report is confirmed
If you already opened a public issue by mistake, edit it down to a minimal note and ask for a private reporting path instead of posting more detail.