From f97a7816effff61bdda96688d2b812dd0e06d1bb Mon Sep 17 00:00:00 2001
From: Hirotaka Mizutani <52546+hirotaka@users.noreply.github.com>
Date: Thu, 30 Apr 2026 09:29:59 +0900
Subject: [PATCH] chore(security): harden repo defaults and update disclosure
 policy

---
 .github/workflows/ci.yml |  4 ++++
 .gitignore               |  9 ++-------
 README.md                |  7 ++++++-
 SECURITY.md              | 23 +++++++++++++----------
 4 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2ef040f..d42185d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 name: ci
 on: push
+permissions:
+  contents: read
 jobs:
   ci:
     runs-on: ${{ matrix.os }}
@@ -21,6 +23,8 @@ jobs:
         run: pnpm install
       - name: Build registry artifacts
         run: pnpm run registry:build
+      - name: Generate static output
+        run: pnpm run generate
       - name: Lint
         run: pnpm run lint
       - name: Typecheck
diff --git a/.gitignore b/.gitignore
index b498c6c..8a54be3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,15 +20,10 @@ logs
 .DS_Store
 .fleet
 .idea
+.playwright-cli/
+.claude/settings.local.json
 
 # Local env files
 .env
 .env.*
 !.env.example
-
-.dmux/worktrees/task-response/.data
-.dmux/worktrees/task-request/.data
-.dmux/worktrees/task-15-3/.data
-.dmux/worktrees/task-15-5/.data
-.dmux/worktrees/task-17-1/.data
-.dmux/worktrees/task-17-3/.data
diff --git a/README.md b/README.md
index 1c180a5..191b58b 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ This project aims to make shadcn-vue easier to use in Nuxt by providing:
 ## What this repository includes
 
 - **Docs site** (Nuxt 4 + Nuxt Content)
-- **shadcn-vue registry output** under `public/r/*.json`
+- **shadcn-vue registry builder** (`pnpm registry:build`)
 - **Template and component documentation** under `content/docs`
 
 ## Use the registry
@@ -50,3 +50,8 @@ pnpm registry:build
 ```
 
 This command generates distributable registry JSON files in `public/r/`.
+`public/r/` is generated at build time and is not committed to git.
+
+## Security
+
+For vulnerability reporting and support policy, see `SECURITY.md`.
diff --git a/SECURITY.md b/SECURITY.md
index 034e848..60c97b8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,20 +2,23 @@
 
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+Security fixes are applied to the latest version on the `main` branch.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| main    | :white_check_mark: |
+| others  | :x:                |
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
+Please use GitHub Private Vulnerability Reporting for this repository:
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+- https://github.com/shadcn-nuxt-ui/docs/security/advisories/new
+
+If private reporting is unavailable for your account, open a security issue without exploit details and ask maintainers to continue in a private channel.
+
+We aim to:
+
+- acknowledge reports within 72 hours,
+- provide an initial assessment within 7 days,
+- coordinate disclosure after a fix is available.