From 52621f38c0862abe300b66c762c0928ff83a5ccb Mon Sep 17 00:00:00 2001
From: satyakwok <satyakwok@users.noreply.github.com>
Date: Thu, 7 May 2026 14:38:17 +0200
Subject: [PATCH 1/2] chore: add SECURITY + issue/PR templates + CONTRIBUTING +
 CodeQL + CHANGELOG scaffold
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Universal hygiene pass post-2026-05-07 audit. Idempotent — skips files
that already exist.
---
 .github/ISSUE_TEMPLATE/bug.yml     | 29 ++++++++++++++++++++++
 .github/ISSUE_TEMPLATE/config.yml  |  8 ++++++
 .github/ISSUE_TEMPLATE/feature.yml | 18 ++++++++++++++
 .github/pull_request_template.md   | 13 ++++++++++
 .github/workflows/codeql.yml       | 31 ++++++++++++++++++++++++
 CHANGELOG.md                       |  9 +++++++
 CONTRIBUTING.md                    | 34 ++++++++++++++++++++++++++
 SECURITY.md                        | 39 ++++++++++++++++++++++++++++++
 8 files changed, 181 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/bug.yml
 create mode 100644 .github/ISSUE_TEMPLATE/config.yml
 create mode 100644 .github/ISSUE_TEMPLATE/feature.yml
 create mode 100644 .github/pull_request_template.md
 create mode 100644 .github/workflows/codeql.yml
 create mode 100644 CHANGELOG.md
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md

diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
new file mode 100644
index 0000000..b39e522
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -0,0 +1,29 @@
+name: Bug report
+description: Something isn't working as expected
+labels: [bug]
+body:
+  - type: textarea
+    id: what
+    attributes:
+      label: What's broken?
+      description: Describe what's not working.
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      description: Numbered list, ideally with commit hash + chain ID + URL.
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+  - type: input
+    id: version
+    attributes:
+      label: Version / commit
+      placeholder: v2.1.85 / abc1234
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 0000000..32ff236
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: mailto:security@sentriscloud.com
+    about: Report a security issue privately. Do NOT open a public issue.
+  - name: Sentrix Discord
+    url: https://discord.gg/sentrixchain
+    about: General questions and support
diff --git a/.github/ISSUE_TEMPLATE/feature.yml b/.github/ISSUE_TEMPLATE/feature.yml
new file mode 100644
index 0000000..8b0f5fc
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature.yml
@@ -0,0 +1,18 @@
+name: Feature request
+description: Suggest something new
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem does this solve?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed approach
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..8931a67
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,13 @@
+## Summary
+
+<!-- 1-3 sentences. What changed and why. -->
+
+## Test plan
+
+<!-- Bulleted checklist. Both happy-path and edge cases. -->
+
+- [ ] 
+
+## Related
+
+<!-- Link issues, PRs, audit docs, runbooks. -->
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..12e14ed
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript-typescript']
+    steps:
+      - uses: actions/checkout@v5
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{ matrix.language }}'
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..25ed73c
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,9 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..f342750
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,34 @@
+# Contributing
+
+Thanks for your interest in Sentrix.
+
+## Quick start
+
+1. Fork the repo, clone your fork.
+2. Create a branch: `git checkout -b feat/my-change`.
+3. Make your change. Keep PRs focused.
+4. Run the test suite locally before opening the PR.
+5. Open a pull request against `main`. CI runs automatically.
+
+## PR conventions
+
+- One conceptual change per PR.
+- Conventional-commit-style title: `feat:`, `fix:`, `chore:`, `docs:`, `ci:`, `test:`, `refactor:`.
+- Test plan in the PR body.
+- For consensus-touching code in `sentrix-labs/sentrix`: include a regression test that fails on `main` and passes after.
+
+## Code style
+
+- Match existing patterns in the file/module.
+- No drive-by formatting changes outside the diff.
+- For Rust: `cargo fmt` + `cargo clippy --workspace --tests -- -D warnings` clean.
+- For TypeScript: `pnpm lint` + `pnpm typecheck` clean.
+- For Solidity: `forge fmt` + `forge build` clean.
+
+## Bug reports
+
+Use the issue templates. Include version/commit + reproduction steps.
+
+## Security
+
+Vulnerabilities go to `security@sentriscloud.com`, NOT a public issue. See `SECURITY.md`.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..019be6f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,39 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this repository, please report it privately. **Do not open a public GitHub issue.**
+
+**Contact:** `security@sentriscloud.com`
+
+Please include:
+
+- A description of the vulnerability
+- Steps to reproduce
+- The affected version / commit hash
+- Any suggested mitigation
+
+## Response Timeline
+
+- **Initial acknowledgment:** within 72 hours
+- **Triage:** within 7 days
+- **Resolution target:** depends on severity (critical: days, high: weeks, medium: next release)
+
+## Scope
+
+In scope:
+
+- Smart contracts deployed via canonical addresses on Sentrix Chain (chain ID 7119 mainnet, 7120 testnet)
+- Sentrix node binary (consensus, state, EVM)
+- Frontend apps that handle user keys or balances (faucet, scan, coinblast, dex, solux)
+- Indexer / SDK that touches user-controlled data
+
+Out of scope:
+
+- Third-party dependencies (report upstream first; we can advisory-track if confirmed)
+- Issues requiring physical access to a validator host
+- Social engineering against operators
+
+## Bug Bounty
+
+A formal bug bounty program is under design. Reach out for case-by-case disclosure rewards.

From a3f1f4196b5803eccbf07a21ccbc4be6059da426 Mon Sep 17 00:00:00 2001
From: satyakwok <satyakwok@users.noreply.github.com>
Date: Thu, 7 May 2026 15:47:33 +0200
Subject: [PATCH 2/2] ci: re-trigger workflow