zircote
diff --git a/‎CHANGELOG.md‎
Lines changed: 155 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 155 additions & 0 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 88 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 88 additions & 0 deletions
@@ -0,0 +1,155 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Security
+- Fix TOCTOU race condition in file locking with O_NOFOLLOW flag
+- Add subprocess timeout (30s) to prevent indefinite hangs
+- Restrict lock file permissions to 0o600
+- Add thread-safe locking to ServiceRegistry and IndexService
+
+### Fixed
+- Fix missing `repo_path` in batch insert operations
+- Fix blocking lock acquisition with timeout mechanism
+
+### Added
+- Enable SQLite WAL mode for better concurrent access
+- Add SECURITY.md with vulnerability reporting process
+- Add CHANGELOG.md
+
+## [0.9.1] - 2025-12-24
+
+### Fixed
+- Add .DS_Store to gitignore
+
+### Changed
+- Update guidance builder tests to match new templates
+
+## [0.9.0] - 2025-12-24
+
+### Added
+- Pyright type checker configuration
+- Project hooks for Python code quality (format, lint, typecheck)
+
+### Fixed
+- Use project-specific index path in status and validate commands
+- Correct byte counting in batch content parsing
+
+### Changed
+- Strengthen memory block guidance with balanced requirements
+
+## [0.8.0] - 2025-12-22
+
+### Added
+- Comprehensive tests for hook_utils and session_analyzer
+- API Reference documentation
+- Environment variables documentation
+- Command help documentation
+
+### Fixed
+- Address code review findings for performance and quality
+- Address GitHub Copilot code review feedback
+- Fix unused variables and redundant imports
+
+### Changed
+- Simplify ServiceRegistry by removing over-engineering
+- Archive code review artifacts to docs/code-review/
+
+## [0.7.1] - 2025-12-21
+
+### Fixed
+- Update dependencies for ARM64 compatibility
+
+## [0.7.0] - 2025-12-21
+
+### Added
+- Auto-configure git notes sync on session start
+- Research paper on git-native semantic memory for LLM agents
+
+## [0.6.2] - 2025-12-20
+
+### Fixed
+- Minor bug fixes
+
+## [0.6.1] - 2025-12-20
+
+### Added
+- Rotating file logging
+- Increased capture limits
+
+## [0.6.0] - 2025-12-19
+
+### Changed
+- Replace ANSI colors with unicode block markers for terminal output
+
+## [0.5.4] - 2025-12-19
+
+### Added
+- Colored ::: block markers for terminal output
+
+## [0.5.3] - 2025-12-19
+
+### Fixed
+- Remove duplicate hooks reference from plugin manifest
+
+## [0.5.2] - 2025-12-19
+
+### Fixed
+- Complete hook-based memory capture with block markers
+
+## [0.5.1] - 2025-12-19
+
+### Added
+- Enhanced auto-capture across all hook events
+
+## [0.5.0] - 2025-12-19
+
+### Added
+- Enable hooks by default
+- Enhanced memory capture system
+
+## [0.4.1] - 2025-12-18
+
+### Fixed
+- Add --python flag to uv pip install for correct venv targeting
+
+## [0.4.0] - 2025-12-18
+
+### Added
+- Release workflow targets to Makefile
+
+### Changed
+- Replace Python bootstrap with bash shell wrapper for hook venv management
+
+### Fixed
+- Correct plugin.json path in bumpversion config
+- Add explanatory comments to remaining bare exception handlers
+- Address GitHub Copilot code review findings
+
+## [0.3.1] - 2025-12-17
+
+### Fixed
+- Initial stable release with core memory capture functionality
+
+[Unreleased]: https://github.com/zircote/git-notes-memory-manager/compare/v0.9.1...HEAD
+[0.9.1]: https://github.com/zircote/git-notes-memory-manager/compare/v0.9.0...v0.9.1
+[0.9.0]: https://github.com/zircote/git-notes-memory-manager/compare/v0.8.0...v0.9.0
+[0.8.0]: https://github.com/zircote/git-notes-memory-manager/compare/v0.7.1...v0.8.0
+[0.7.1]: https://github.com/zircote/git-notes-memory-manager/compare/v0.7.0...v0.7.1
+[0.7.0]: https://github.com/zircote/git-notes-memory-manager/compare/v0.6.2...v0.7.0
+[0.6.2]: https://github.com/zircote/git-notes-memory-manager/compare/v0.6.1...v0.6.2
+[0.6.1]: https://github.com/zircote/git-notes-memory-manager/compare/v0.6.0...v0.6.1
+[0.6.0]: https://github.com/zircote/git-notes-memory-manager/compare/v0.5.4...v0.6.0
+[0.5.4]: https://github.com/zircote/git-notes-memory-manager/compare/v0.5.3...v0.5.4
+[0.5.3]: https://github.com/zircote/git-notes-memory-manager/compare/v0.5.2...v0.5.3
+[0.5.2]: https://github.com/zircote/git-notes-memory-manager/compare/v0.5.1...v0.5.2
+[0.5.1]: https://github.com/zircote/git-notes-memory-manager/compare/v0.5.0...v0.5.1
+[0.5.0]: https://github.com/zircote/git-notes-memory-manager/compare/v0.4.1...v0.5.0
+[0.4.1]: https://github.com/zircote/git-notes-memory-manager/compare/v0.4.0...v0.4.1
+[0.4.0]: https://github.com/zircote/git-notes-memory-manager/compare/v0.3.1...v0.4.0
+[0.3.1]: https://github.com/zircote/git-notes-memory-manager/releases/tag/v0.3.1
@@ -0,0 +1,88 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.9.x   | :white_check_mark: |
+| < 0.9   | :x:                |
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
+
+### How to Report
+
+**DO NOT** open a public GitHub issue for security vulnerabilities.
+
+Instead, please report vulnerabilities via one of these methods:
+
+1. **GitHub Security Advisories** (Preferred)
+   - Navigate to the [Security tab](../../security/advisories) of this repository
+   - Click "Report a vulnerability"
+   - Provide a detailed description
+
+2. **Email**
+   - Send details to the repository maintainers
+   - Use the subject line: `[SECURITY] git-notes-memory vulnerability report`
+
+### What to Include
+
+Please include the following in your report:
+
+- **Description**: Clear explanation of the vulnerability
+- **Impact**: What an attacker could achieve
+- **Affected versions**: Which versions are vulnerable
+- **Steps to reproduce**: Detailed reproduction steps
+- **Proof of concept**: Code or commands demonstrating the issue (if possible)
+- **Suggested fix**: Your recommendations (if any)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours of report
+- **Initial assessment**: Within 7 days
+- **Fix timeline**: Depends on severity
+  - Critical: 7 days
+  - High: 14 days
+  - Medium: 30 days
+  - Low: 60 days
+
+### Disclosure Policy
+
+- We will coordinate disclosure timing with the reporter
+- Credit will be given to reporters (unless they prefer anonymity)
+- We follow responsible disclosure practices
+
+## Security Considerations
+
+### Data Storage
+
+- Memories are stored as git notes in your local repository
+- SQLite index is stored in `~/.local/share/memory-plugin/` by default
+- Sensitive data in memories is your responsibility to manage
+
+### Best Practices
+
+1. **Avoid storing secrets**: Do not capture API keys, passwords, or credentials as memories
+2. **Review before sharing**: If sharing repositories with memories, review note contents first
+3. **Secure your repository**: Standard git security practices apply
+4. **Lock file permissions**: Lock files are created with 0o600 permissions
+
+### Known Security Features
+
+- Input validation on namespaces, summaries, and content
+- Path traversal prevention in git operations
+- No shell=True in subprocess calls
+- File locking with timeout protection
+- O_NOFOLLOW flag prevents symlink attacks on lock files
+
+## Security Audit
+
+This project underwent a security review on 2025-12-24 as part of the MAXALL code review process. Key findings were addressed:
+
+- TOCTOU race condition mitigated with O_NOFOLLOW
+- Subprocess timeouts added to prevent hangs
+- Lock file permissions restricted to 0o600
+- Thread safety added to service registry
+
+For the full security assessment, see `docs/code-review/2025/12/24/CODE_REVIEW.md`.