# Security and governance

## Security policy
- Coordinated disclosure with a defined SLA and published keys.
- Security fixes are prioritized for supported release lines.

## Hardening guidance
- Non-root containers and read-only filesystems.
- TLS for all external traffic, optional mTLS internally.
- DPoP or mTLS sender constraints for tokens.
- Signed artifacts and verified plugin signatures.
- No mandatory outbound traffic for core verification paths.

## Governance
- Lazy consensus with maintainer review for non-trivial changes.
- Explicit security review for sensitive changes.
- Contribution rules and code of conduct apply to all repos.

## Compliance and evidence
- Evidence is content-addressed, signed, and replayable.
- Audit packages include decision traces, inputs, and signatures.
- Unknowns are preserved and surfaced, not hidden.