Fearvox · Fearvox · May 13, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/.github/ISSUE_TEMPLATE/pr_tracker.yml b/.github/ISSUE_TEMPLATE/pr_tracker.yml
@@ -0,0 +1,109 @@
+name: PR tracker (mirror)
+description: Mirror an in-flight pull request as a tracking issue for Linear and Slack sync / 镜像一个进行中的 PR 作为追踪 issue
+title: "[PR Track] #<number>: <short summary>"
+labels: ["pr-mirror", "tracking"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Use this when you want a long-lived, auditable record of an upstream PR.
+        Linear and Slack subscribe to issues with the `pr-mirror` label.
+        镜像一个 PR 用于 Linear / Slack 长期可审计追踪。带 `pr-mirror` 标签的 issue 会被订阅。
+  - type: input
+    id: pr_number
+    attributes:
+      label: PR number
+      placeholder: "e.g. 196"
+    validations:
+      required: true
+  - type: input
+    id: pr_url
+    attributes:
+      label: PR URL
+      placeholder: https://github.com/EverMind-AI/EverOS/pull/<number>
+    validations:
+      required: true
+  - type: input
+    id: author
+    attributes:
+      label: Author handle
+      placeholder: "@github-login"
+    validations:
+      required: true
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - methods/EverCore
+        - methods/HyperMem
+        - benchmarks/EverMemBench
+        - benchmarks/EvoAgentBench
+        - use-cases
+        - documentation
+        - CI / build / release
+        - other
+    validations:
+      required: true
+  - type: dropdown
+    id: lane
+    attributes:
+      label: Review lane
+      description: How this PR should be triaged. / 该 PR 的优先级处理通道。
+      options:
+        - hotfix (block release until merged)
+        - normal (standard review)
+        - docs-only (light review)
+        - exploratory (no merge intent)
+    validations:
+      required: true
+  - type: textarea
+    id: scope
+    attributes:
+      label: Scope summary
+      description: One paragraph. What does the PR change, and what is intentionally left out?
+      placeholder: |
+        Changes:
+        - ...
+        Out of scope:
+        - ...
+    validations:
+      required: true
+  - type: textarea
+    id: evidence
+    attributes:
+      label: Evidence snapshot
+      description: |
+        Required before this mirror can be closed. Paste the CI summary, test command output,
+        or the link to the run. "No mirror closes without evidence."
+        关闭镜像 issue 前必填。粘贴 CI 摘要、测试命令输出或 run 链接。
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: decisions
+    attributes:
+      label: Decision log
+      description: Notable review decisions (approvals, requested changes, deferrals).
+      placeholder: |
+        - 2026-05-13 @reviewer: requested change on tests/test_x.py
+        - 2026-05-13 @author: scoped follow-up to PR #...
+  - type: input
+    id: linear_issue
+    attributes:
+      label: Linear issue (optional)
+      placeholder: "EVE-123"
+  - type: input
+    id: slack_thread
+    attributes:
+      label: Slack thread (optional)
+      placeholder: "https://everminddash.slack.com/archives/.../p..."
+  - type: checkboxes
+    id: closure
+    attributes:
+      label: Closure criteria
+      description: Check all that apply before closing this mirror.
+      options:
+        - label: PR is merged, closed, or marked won't-fix upstream.
+        - label: Evidence snapshot above reflects the final state.
+        - label: Linear and Slack records have been updated (if linked).
diff --git a/.github/ISSUE_TEMPLATE/security_tracker.yml b/.github/ISSUE_TEMPLATE/security_tracker.yml
@@ -0,0 +1,116 @@
+name: Security tracker (mirror)
+description: Mirror a security PR or disclosure for Linear and Slack escalation / 镜像一个安全 PR 或披露
+title: "[Security Track] CWE-<id>: <short summary>"
+labels: ["security", "pr-mirror", "tracking", "urgent"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Use this for any PR or disclosure that affects credentials, authn/authz, data exposure,
+        supply chain, or sandbox escape. The `urgent` label routes this to high-priority
+        notifications in Slack and Linear.
+        用于凭证、认证授权、数据暴露、供应链、沙箱逃逸等安全 PR / 披露。`urgent` 标签会触发高优先级通知。
+        Do NOT include exploit details that are not already public in the upstream PR.
+        请勿写入未在 upstream PR 公开的利用细节。
+  - type: input
+    id: cwe
+    attributes:
+      label: CWE id
+      placeholder: "CWE-798"
+    validations:
+      required: true
+  - type: input
+    id: pr_url
+    attributes:
+      label: Upstream PR or advisory URL
+      placeholder: https://github.com/EverMind-AI/EverOS/pull/<number>
+    validations:
+      required: true
+  - type: dropdown
+    id: severity
+    attributes:
+      label: Severity
+      options:
+        - Critical (full auth bypass / unauthenticated RCE / mass data loss)
+        - High (privileged data access / credential exposure / persistent compromise)
+        - Medium (limited data access / requires user interaction)
+        - Low (defense-in-depth / hardening)
+    validations:
+      required: true
+  - type: dropdown
+    id: exposure
+    attributes:
+      label: Reachability
+      description: How reachable is this in the documented quickstart / default config?
+      options:
+        - Default config (reproducible from a clean clone)
+        - Default config + network position
+        - Non-default config but documented
+        - Hypothetical / not yet reproducible
+    validations:
+      required: true
+  - type: textarea
+    id: affected
+    attributes:
+      label: Affected components
+      description: File paths, services, or versions impacted.
+      placeholder: |
+        - methods/EverCore/docker-compose.yaml (memsys-milvus-minio block)
+        - methods/EverCore/env.template
+    validations:
+      required: true
+  - type: textarea
+    id: fix_summary
+    attributes:
+      label: Proposed fix summary
+      description: One paragraph. What does the PR change? Cite the contract that makes it fail-closed.
+    validations:
+      required: true
+  - type: textarea
+    id: evidence
+    attributes:
+      label: Verification evidence
+      description: |
+        Required before closure. Show the commands and output that prove the fix works AND
+        that the unpatched state was exploitable. "No security mirror closes without evidence."
+        关闭前必填。展示证明 fix 生效以及未修复状态可利用的命令与输出。
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: residual
+    attributes:
+      label: Residual risk / follow-ups
+      description: Anything intentionally out of scope, plus follow-up issues that should be filed.
+      placeholder: |
+        - docs/installation/ still references the old default in examples; follow-up sweep needed.
+        - Consider adding a CI lint to catch hardcoded secrets in docker-compose files.
+  - type: input
+    id: linear_issue
+    attributes:
+      label: Linear issue (optional)
+      placeholder: "EVE-123"
+  - type: input
+    id: slack_thread
+    attributes:
+      label: Slack thread (optional)
+      placeholder: "https://everminddash.slack.com/archives/.../p..."
+  - type: checkboxes
+    id: disclosure
+    attributes:
+      label: Disclosure hygiene
+      description: Confirm before submitting.
+      options:
+        - label: This mirror contains no exploit details beyond what is already public in the upstream PR.
+          required: true
+        - label: The upstream PR or advisory link is correct and reachable.
+          required: true
+        - label: A maintainer has been pinged in Slack #p-evermind-dash or via Linear EVE if Severity is Critical or High.
+  - type: checkboxes
+    id: closure
+    attributes:
+      label: Closure criteria
+      options:
+        - label: Upstream PR merged, advisory published, or risk formally accepted.
+        - label: Verification evidence above reflects the merged state.
+        - label: Residual-risk follow-ups have issues filed (or explicitly waived).
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -4,30 +4,108 @@ Thank you for helping keep EverOS and its users safe.
 
 ## Reporting a Vulnerability
 
-Please do not open a public GitHub issue for a security vulnerability.
+**Do not open a public GitHub issue for a security vulnerability.**
 
-Report suspected vulnerabilities privately through one of the maintainer contact
-channels listed in the README, or by opening a GitHub security advisory if that
-feature is available for the repository.
+### Preferred: GitHub Security Advisory
 
-Include as much detail as you can:
+If the repository has GitHub Security Advisories enabled, open one at:
+`https://github.com/Fearvox/EverOS/security/advisories/new`
 
-- Affected component or path.
-- Steps to reproduce.
-- Impact and likely severity.
-- Relevant logs, requests, responses, or screenshots.
-- Suggested fix, if you have one.
+### Alternative: Security Tracker Issue Template
 
-## Supported Scope
+For issues that benefit from team visibility and Linear/Slack tracking, use the
+**Security Tracker** template at:
+`.github/ISSUE_TEMPLATE/security_tracker.yml`
 
-Security reports are most useful for:
+Select it from the issue template picker when opening a new issue, or create
+directly via URL:
+`https://github.com/Fearvox/EverOS/issues/new?template=security_tracker.yml`
+
+The Security Tracker includes fields for CWE, severity, exposure scope,
+affected components, fix summary, evidence, and residual risk. It
+auto-applies the `security`, `pr-mirror`, `tracking`, and `urgent` labels,
+which trigger immediate routing to Linear `EverMind-Dash` and Slack
+`#p-evermind-dash`.
+
+### What to Include
+
+- **Affected component or path** — file, API endpoint, or subsystem.
+- **Steps to reproduce** — minimum reproducible case.
+- **Impact and severity** — what an attacker gains, under what conditions.
+- **Relevant logs, requests, responses, or screenshots.**
+- **Suggested fix**, if you have one.
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| `main` (EverCore `>=0.2.0`) | Active |
+| Fork `Fearvox/EverOS` branches | Best-effort |
+| `use-cases/` demos | Community-supported, not covered by security SLA |
+
+## In-Scope
 
 - EverCore API, storage, tenant isolation, and memory retrieval behavior.
-- Authentication, authorization, or data exposure risks.
+- Authentication, authorization, or data exposure in `methods/EverCore/`.
 - Secret handling in examples, demos, and deployment files.
-- Benchmark or use-case code that could execute untrusted input unsafely.
+- Benchmark or use-case code that executes untrusted input.
+- CI/CD workflows that handle secrets (`linear-sync.yml`, `sync-upstream.yml`).
+- GitHub Actions supply-chain risks in `Fearvox/EverOS` workflows.
+
+## Out of Scope
+
+- Upstream `EverMind-AI/EverOS` security — report those directly to upstream
+  maintainers. The fork does not triage upstream's issues.
+- Infrastructure-level attacks against GitHub Actions, Linear, or Slack.
+- Social engineering or phishing.
+- DOS attacks against the public GitHub repo.
+
+## Security Workflow
+
+```
+Report → Security Tracker Issue (private or labeled) →
+  ├─ linear-sync.yml creates EVE in Linear EverMind-Dash →
+  │   └─ Linear → Slack #p-evermind-dash (urgent flag)
+  ├─ Triage within 48h (urgent) or 5 business days (standard)
+  ├─ Fix developed on fork feature branch
+  ├─ Fix promoted upstream via PR to EverMind-AI/EverOS
+  └─ Public disclosure after fix lands upstream
+```
+
+### Label Routing
+
+| Label | Effect |
+|-------|--------|
+| `security` | Identifies the issue as security-sensitive |
+| `urgent` | Escalates Linear priority to Urgent (1); immediate Slack notification |
+| `sync-failed` | Auto-applied if Linear sync errors — check workflow logs |
+
+## Dependabot Alerts
+
+Dependabot scans for vulnerable dependencies across `methods/EverCore/`,
+`benchmarks/`, and `use-cases/`. Alerts are visible at:
+`https://github.com/Fearvox/EverOS/security/dependabot`
+
+Alert response SLA:
+- **Critical**: patch within 7 days
+- **High**: patch within 30 days
+- **Moderate / Low**: addressed in next regular dependency update cycle
+
+Dependabot PRs should be reviewed for breaking changes before merge, especially
+in `use-cases/` where demo lockfiles may pin older versions intentionally.
+
+## Disclosure Timeline
+
+1. **T-0**: Report received, initial triage within 48h.
+2. **T-3d**: Confirmation + severity assessment shared with reporter.
+3. **T-7d (critical) / T-30d (high)**: Fix developed and tested on fork.
+4. **Fix day**: Fix promoted upstream. CVE or advisory filed if applicable.
+5. **Fix + 7d**: Public disclosure with full details, credit to reporter.
+
+Maintainers may adjust the timeline for severity, exploitability, or upstream
+coordination needs.
 
-## Disclosure
+## Past Advisories
 
-Maintainers will review reports and coordinate a fix before public disclosure
-when the issue is confirmed.
+None at this time. This section will be updated when the first advisory is
+published.