docs: strengthen public security signals

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @tw93

.github/ISSUE_TEMPLATE/bug_report.md

@@ -10,6 +10,8 @@ assignees: ''
 
 A clear and concise description of what the bug is. We suggest using English for better global understanding.
 
+If you believe the issue may allow unsafe deletion, path validation bypass, privilege boundary bypass, or release/install integrity issues, do not file a public bug report. Report it privately using the contact details in `SECURITY.md`.
+
 ## Steps to reproduce
 
 1. Run command: `mo ...`

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,8 @@
 blank_issues_enabled: false
 contact_links:
+  - name: Private Security Report
+    url: mailto:hitw93@gmail.com?subject=Mole%20security%20report
+    about: Report a suspected vulnerability privately instead of opening a public issue
   - name: Telegram Community
     url: https://t.me/+GclQS9ZnxyI2ODQ1
     about: Join our Telegram group for questions and discussions

.github/dependabot.yml

@@ -4,8 +4,18 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+    reviewers:
+      - "tw93"
+    open-pull-requests-limit: 10
 
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+    reviewers:
+      - "tw93"
+    open-pull-requests-limit: 10

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Summary
+
+- Describe the change.
+
+## Safety Review
+
+- Does this change affect cleanup, uninstall, optimize, installer, remove, analyze delete, update, or install behavior?
+- Does this change affect path validation, protected directories, symlink handling, sudo boundaries, or release/install integrity?
+- If yes, describe the new boundary or risk change clearly.
+
+## Tests
+
+- List the automated tests you ran.
+- List any manual checks for high-risk paths or destructive flows.
+
+## Safety-related changes
+
+- None.

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main, dev]
+  schedule:
+    - cron: '17 3 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: go
+            build-mode: manual
+          - language: actions
+            build-mode: none
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+
+      - name: Set up Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
+        with:
+          go-version: "1.24.6"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended
+
+      - name: Build for CodeQL
+        if: matrix.build-mode == 'manual'
+        run: make build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'V*'
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build:
@@ -58,6 +58,10 @@ jobs:
     name: Publish Release
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      attestations: write
+      id-token: write
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -69,16 +73,32 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R bin/
 
+      - name: Generate release checksums
+        run: |
+          cd bin
+          mapfile -t release_files < <(find . -maxdepth 1 -type f -printf '%P\n' | sort)
+          if [[ ${#release_files[@]} -eq 0 ]]; then
+            echo "No release assets found"
+            exit 1
+          fi
+          sha256sum "${release_files[@]}" > SHA256SUMS
+          cat SHA256SUMS
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            bin/analyze-darwin-*
+            bin/status-darwin-*
+            bin/binaries-darwin-*.tar.gz
+            bin/SHA256SUMS
+
       - name: Create Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           name: ${{ github.ref_name }}
           files: bin/*
-          body: |
-            Release assets are ready.
-
-            Final curated release notes should be applied with `gh release edit` after workflow verification.
           generate_release_notes: false
           draft: false
           prerelease: false

.github/workflows/test.yml

@@ -52,6 +52,9 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
 
+      - name: Install tools
+        run: brew install bats-core
+
       - name: Check for unsafe rm usage
         run: |
           echo "Checking for unsafe rm patterns..."
@@ -86,3 +89,10 @@ jobs:
             exit 1
           fi
           echo "✓ No secrets found"
+
+      - name: Run high-risk path regression tests
+        env:
+          BATS_FORMATTER: tap
+          LANG: en_US.UTF-8
+          LC_ALL: en_US.UTF-8
+        run: bats tests/core_safe_functions.bats tests/purge.bats tests/installer.bats