ci(security): address remaining scorecard findings

.github/workflows/benchmark-smoke.yml

@@ -62,12 +62,13 @@ jobs:
           # the repository documents locally.
           python-version: "3.12"
           cache: "pip"
-          cache-dependency-path: "requirements.txt"
+          cache-dependency-path: |
+            requirements.txt
+            requirements.lock
 
       - name: "Install chart-generation dependencies"
         run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install --requirement requirements.txt
+          python3 -m pip install --require-hashes --requirement requirements.lock
 
       - name: "Show tool versions"
         run: |

.github/workflows/commit-lint.yml

@@ -67,9 +67,9 @@ jobs:
         with:
           # Match the release workflow's Node policy.
           #
-          # This repository is not a Node project and intentionally carries no
-          # `package.json` or `package-lock.json`. commitlint tooling is installed
-          # ephemerally at runtime, so automatic npm cache discovery must stay off.
+          # This repository is not a Node application and intentionally keeps
+          # its pinned commitlint toolchain isolated under `tools/commitlint`
+          # instead of adding a root-level Node manifest.
           node-version: "24"
           package-manager-cache: false
 
@@ -89,20 +89,15 @@ jobs:
           git --version
           python3 --version
 
-      - name: "Install standalone commitlint toolchain"
+      - name: "Install pinned commitlint toolchain"
         run: |
-          # Keep commitlint on the same repository Node-tooling policy as other
-          # automation here: no committed Node manifest and no generated lockfile
-          # in CI.
-          npm install --no-save --package-lock=false --no-audit --fund=false \
-            @commitlint/cli \
-            @commitlint/config-conventional
+          npm ci --prefix tools/commitlint --ignore-scripts --no-audit --fund=false
 
       - name: "Verify commitlint configuration exists"
         run: test -f commitlint.config.cjs
 
       - name: "Show commitlint version"
-        run: npx commitlint --version
+        run: tools/commitlint/node_modules/.bin/commitlint --version
 
       - name: "Lint pull request title"
         if: ${{ github.event_name == 'pull_request' }}
@@ -111,7 +106,7 @@ jobs:
         run: |
           # Squash merges often use the PR title as the final commit header.
           # Keep the title under the same Conventional Commit policy as commits.
-          printf '%s\n' "${PR_TITLE}" | npx commitlint --config commitlint.config.cjs --verbose
+          printf '%s\n' "${PR_TITLE}" | tools/commitlint/node_modules/.bin/commitlint --config commitlint.config.cjs --verbose
 
       - name: "Run repository commitlint orchestration"
         env:

.github/workflows/fuzz.yml

@@ -0,0 +1,57 @@
+# Copyright 2026 The ARCORIS Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"name": "Fuzz"
+
+"on":
+  pull_request:
+    branches:
+      - "main"
+  merge_group:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 2 * * 1"
+
+permissions:
+  contents: "read"
+
+jobs:
+  fuzz:
+    name: "fuzz"
+    runs-on: "ubuntu-latest"
+    timeout-minutes: 15
+
+    steps:
+      - name: "Checkout repository"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: "Setup Go"
+        # actions/setup-go v6
+        uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c"
+        with:
+          go-version-file: "go.mod"
+          cache: true
+
+      - name: "Run fuzz targets"
+        shell: "bash"
+        run: |
+          set -euo pipefail
+
+          go test . -run '^$' -fuzz=FuzzPoolLifecycleOrder -fuzztime=10s
+          go test . -run '^$' -fuzz=FuzzPoolAcceptedValueIsResetBeforeReuse -fuzztime=10s
+          go test . -run '^$' -fuzz=FuzzPoolRejectedValueIsNotStored -fuzztime=10s

.github/workflows/govulncheck.yml

@@ -65,13 +65,10 @@ jobs:
         run: go version
 
       - name: "Install govulncheck"
-        # TODO(security): pin govulncheck to a reviewed module version in a
-        # dedicated toolchain-pinning change. This PR only pins GitHub Actions
-        # dependencies and token permissions.
-        # Keep the vulnerability scanner current on scheduled runs instead of
-        # pinning an older CLI indefinitely. This mirrors the intent of other
-        # hosted security scanners in the workflow layer.
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+        # govulncheck is pinned here as CI scanner tooling instead of being added to
+        # the library module graph. This keeps the public Go module dependency-free
+        # while avoiding floating tool installation.
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
 
       - name: "Show govulncheck version"
         run: govulncheck -version || true

.gitignore

@@ -274,3 +274,6 @@ __marimo__/
 
 # Streamlit
 .streamlit/secrets.toml
+
+# Repository-local pinned Node tool installs
+tools/commitlint/node_modules/

MAINTAINERS.md

@@ -0,0 +1,42 @@
+<!--
+Copyright 2026 The ARCORIS Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Maintainers
+
+## Current maintainers
+
+| Area | Maintainer |
+| --- | --- |
+| Repository ownership | Anton Bochkov (`@bochkov-anton`) |
+| Runtime package contract | Anton Bochkov (`@bochkov-anton`) |
+| CI, release, and security automation | Anton Bochkov (`@bochkov-anton`) |
+| Benchmark and documentation policy | Anton Bochkov (`@bochkov-anton`) |
+
+## Responsibilities
+
+The repository is currently maintained by the ARCORIS project through Anton Bochkov. The maintainer is responsible for the public lifecycle contract, CI and release automation, benchmark policy, and contributor-facing repository guidance.
+
+## Security reports
+
+Security reports are handled through the private reporting path documented in [SECURITY.md](./SECURITY.md). Security-sensitive issues should not be opened as public bug reports first.
+
+## Review and release authority
+
+Stable releases are controlled through the repository release workflow and protected SemVer tags. This repository currently has a solo maintainer, so independent approvals may be limited until additional maintainers are added.
+
+## Future delegation
+
+Maintainer delegation may expand later as the repository matures. Additional maintainers, reviewers, or release delegates should only be listed here after they have real repository responsibility.

ROADMAP.md

@@ -0,0 +1,44 @@
+<!--
+Copyright 2026 The ARCORIS Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Roadmap
+
+## Current focus
+
+The current focus is to stabilize the lifecycle contract of `arcoris.dev/pool`, keep the public API small, and make repository automation predictable enough for conservative reuse in production-facing Go code.
+
+## Near-term work
+
+- Preserve the module path `arcoris.dev/pool`.
+- Improve fuzz and property-style coverage for lifecycle and reuse invariants.
+- Keep release provenance and repository automation explicit and reviewable.
+- Maintain a coherent benchmark taxonomy across backend, baseline, paths, shapes, parallel, and metrics suites.
+
+## Stabilization path
+
+The package should continue evolving conservatively until API behavior and lifecycle semantics are stable enough for a future `v1`. Stability matters more than adding surface area quickly.
+
+## Security and supply-chain maturity
+
+Security work should continue tightening pinned dependencies, provenance, review workflows, and repository policy without inventing governance signals that do not yet exist. Repository settings and review rules should mature alongside the code.
+
+## Benchmark and documentation maturity
+
+Benchmark documentation should stay aligned with the maintained benchmark taxonomy, and contributor-facing docs should remain explicit about lifecycle semantics, non-goals, and release expectations.
+
+## Non-goals
+
+The roadmap does not assume external adoption metrics, fixed release dates, or a broad framework surface. The package should remain a small Go library rather than turning into a general object-lifecycle manager.

commitlint.config.cjs

@@ -90,9 +90,11 @@
 
 module.exports = {
   /**
-   * Start from the official conventional baseline.
+   * Resolve the conventional preset through the repository-local pinned
+   * commitlint toolchain. The project intentionally does not keep a root
+   * package.json or root node_modules directory.
    */
-  extends: ['@commitlint/config-conventional'],
+  extends: ['./tools/commitlint/node_modules/@commitlint/config-conventional'],
 
   /**
    * Keep default ignore behavior enabled.
@@ -206,7 +208,7 @@ module.exports = {
      *
      * This avoids ambiguous breaking markers and keeps history explicit.
      */
-    'breaking-change-exclamation-mark': [2, 'always'],
+    'arcoris-breaking-change-marker': [2, 'always'],
 
     /**
      * Repository-specific policy:
@@ -225,6 +227,28 @@ module.exports = {
   plugins: [
     {
       rules: {
+        /**
+         * Require both the header `!` marker and a breaking-change footer note.
+         *
+         * The pinned commitlint toolchain used by this repository does not ship
+         * a built-in rule for this repository policy, so we enforce it here with
+         * the same intent: either both markers are present, or neither is.
+         */
+        'arcoris-breaking-change-marker': ({header, notes}) => {
+          const value = header || '';
+          const parsedNotes = Array.isArray(notes) ? notes : [];
+          const hasHeaderBang = /^[^:(]+(?:\([^)]+\))?!:/.test(value);
+          const hasBreakingNote = parsedNotes.some((note) => {
+            const title = typeof note?.title === 'string' ? note.title : '';
+            return /^BREAKING(?:\s+CHANGE|\s+CHANGES)?$/.test(title);
+          });
+
+          return [
+            hasHeaderBang === hasBreakingNote,
+            'breaking changes must use both ! in the header and a BREAKING CHANGE footer',
+          ];
+        },
+
         /**
          * Reject manual release-commit headers that imitate semantic-release.
          *