v1.1.0: pooled runtime, 959 tests, production hardening (0 squash)

SECURITY.md

@@ -0,0 +1,53 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---|---|
+| 1.0.x | yes |
+| < 1.0 | no |
+
+## Trust Model
+
+Imhotep is a test framework. It runs with the privileges of the invoking test process.
+
+Primary trust boundaries:
+
+1. Node test process (full local process privileges)
+2. Playwright browser context (page JavaScript execution)
+3. CDP extraction channel (local browser debugging protocol)
+
+## Execution Safety Posture
+
+- No dynamic `eval`/`new Function` based execution for assertions.
+- Assertions are compiled to structured representations (AST/IR/FOL), then evaluated.
+- Runtime extraction diagnostics fail closed instead of silently passing unsupported cases.
+
+## CDP Constraints
+
+- CDP usage is intended for local Playwright sessions.
+- Extraction is read-oriented (DOM/CSS/layout facts) with temporary correlation attributes removed after use.
+- No built-in remote debugger dialing behavior is provided by framework defaults.
+
+## User-Supplied Code Risks
+
+The following run as trusted code and must be treated accordingly:
+
+- custom renderer adapters
+- custom predicates/evaluators
+- fixture pages loaded in browser contexts
+
+Do not run untrusted fixtures, renderers, or test helpers in privileged environments.
+
+## Data Sensitivity
+
+Imhotep outputs may include selectors, text labels, geometry, and diagnostics.
+
+- Treat logs/artifacts as potentially sensitive in CI.
+- Redact or avoid committing environment-specific secrets captured by test harness code.
+
+## Vulnerability Reporting
+
+Open a GitHub issue labeled `security` for non-sensitive reports.
+
+If disclosure should be private first, include "PRIVATE SECURITY REPORT" in the issue title and avoid posting exploit details until maintainers respond.