# Security and governance

Security policy
- Coordinated disclosure with a defined SLA and published keys.
- Security fixes are prioritized for supported release lines.

Hardening guidance
- Non-root containers and read-only filesystems.
- TLS for all external traffic, optional mTLS internally.
- DPoP or mTLS sender constraints for tokens.
- Signed artifacts and verified plugin signatures.
- No mandatory outbound traffic for core verification paths.

Governance
- Maintainer review for non-trivial changes.
- Explicit security review for sensitive changes.
- Code of conduct applies across all contributions.

Compliance and evidence
- Evidence is content-addressed, signed, and replayable.
- Audit packages include decision traces, inputs, and signatures.
- Unknowns are preserved and surfaced, not hidden.

Related references
- docs/13_SECURITY_POLICY.md
- docs/17_SECURITY_HARDENING_GUIDE.md
- docs/11_GOVERNANCE.md
- docs/12_CODE_OF_CONDUCT.md
- docs/28_LEGAL_COMPLIANCE.md
- docs2/legal/regulator-threat-evidence.md