elderheim is security-sensitive compiler infrastructure. Treat parser, codegen, runtime, release, CI, and dependency changes as high risk until tested.

Run these regularly and before releases:

scripts/checks.sh
scripts/release_checks.sh
cargo deny check
cargo audit
scripts/generate-sbom.sh
scripts/reproducible_build_check.sh

GitHub Actions run CI, and GitHub CodeQL default setup should be enabled in the repository security settings. Keep only one active CodeQL configuration.

The full release gate is documented in Release Checklist. Rust dependency review rules are documented in Rust Supply-Chain Security.

The dependency policy lives in deny.toml. Unknown registries and git sources are denied by default. License exceptions must be narrow, named, versioned, and documented with the reason for acceptance.

Build scripts, procedural macros, *-sys crates, vendored native code, Cargo aliases, CI workflow edits, and release script edits are executable supply-chain changes. Review them before merging dependency updates.

Source files are untrusted input. elderheim must reject malformed and unsupported programs explicitly. Parser and codegen code must not rely on panics, unchecked indexing, or shell execution for normal diagnostics.

Stable releases must publish SPDX and CycloneDX SBOM files generated from the tagged source tree. Release notes must include SBOM checksums, source archive checksums, binary checksums, and signed tag verification.

Do not publish exploitable security details before a fix is available. Open a private security advisory or contact the maintainers directly once the project has public repository security channels configured.