Roblox
diff --git a/‎.cargo/audit.toml‎
Lines changed: 23 additions & 0 deletions b/‎.cargo/audit.toml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.cargo/config.toml‎
Lines changed: 0 additions & 2 deletions b/‎.cargo/config.toml‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/bug_report.yml‎
Lines changed: 90 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/bug_report.yml‎
Lines changed: 90 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/security-vulnerability.yml‎
Lines changed: 114 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/security-vulnerability.yml‎
Lines changed: 114 additions & 0 deletions
diff --git a/‎.github/workflows/README.md‎
Lines changed: 54 additions & 0 deletions b/‎.github/workflows/README.md‎
Lines changed: 54 additions & 0 deletions
@@ -0,0 +1,23 @@
+# Cargo audit configuration to allow specific warnings
+[advisory]
+# Allow warnings for unmaintained crates that are build dependencies only
+allow = [
+    # atty is only used in build dependencies and has no runtime impact
+    "RUSTSEC-2024-0375",  # atty unmaintained
+    "RUSTSEC-2021-0145",  # atty unsound (potential unaligned read)
+    # net2 is only used in build dependencies and has no runtime impact  
+    "RUSTSEC-2020-0016",  # net2 deprecated
+    # paste is only used in build dependencies and has no runtime impact
+    "RUSTSEC-2024-0436",  # paste unmaintained
+    # proc-macro-error is only used in build dependencies and has no runtime impact
+    "RUSTSEC-2024-0370",  # proc-macro-error unmaintained
+]
+
+[advisory]
+# These are all build-time dependencies with no runtime security impact
+ignore = [
+    "atty",
+    "net2", 
+    "paste",
+    "proc-macro-error"
+]
@@ -0,0 +1,90 @@
+name: 🐛 Bug Report
+description: Report a bug or unexpected behavior
+title: "[BUG] "
+labels: ["bug", "needs-triage"]
+assignees: []
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## 🐛 Bug Report
+        
+        Please provide as much information as possible to help us reproduce and fix this issue.
+
+  - type: textarea
+    id: bug-description
+    attributes:
+      label: Bug Description
+      description: A clear and concise description of what the bug is
+      placeholder: Describe the bug...
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction-steps
+    attributes:
+      label: Steps to Reproduce
+      description: Steps to reproduce the behavior
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected Behavior
+      description: What you expected to happen
+      placeholder: Describe what should happen...
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual-behavior
+    attributes:
+      label: Actual Behavior
+      description: What actually happened
+      placeholder: Describe what actually happened...
+    validations:
+      required: true
+
+  - type: dropdown
+    id: environment
+    attributes:
+      label: Environment
+      description: What environment are you running?
+      options:
+        - Windows 10/11
+        - macOS
+        - Linux
+        - Other
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: What version of the MCP server are you using?
+      placeholder: e.g., 0.2.1
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs
+      description: Relevant log output
+      placeholder: Paste relevant logs here...
+      render: shell
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional Context
+      description: Any other context about the problem
+      placeholder: Add any other context about the problem here...
@@ -0,0 +1,114 @@
+name: 🚨 Security Vulnerability Report
+description: Report a security vulnerability in the Roblox Studio MCP Server
+title: "[SECURITY] "
+labels: ["security", "vulnerability", "urgent"]
+assignees: []
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## 🚨 Security Vulnerability Report
+        
+        **⚠️ IMPORTANT**: This issue template is for reporting security vulnerabilities. 
+        
+        For general security questions or discussions, please use the regular issue template.
+        
+        **🔒 Please DO NOT** include sensitive information, proof-of-concept code, or exploit details in this issue.
+        
+        **📧 For highly sensitive vulnerabilities**, consider emailing security details privately instead.
+
+  - type: textarea
+    id: vulnerability-description
+    attributes:
+      label: Vulnerability Description
+      description: Provide a clear description of the security vulnerability
+      placeholder: Describe the security issue without including sensitive details...
+    validations:
+      required: true
+
+  - type: textarea
+    id: affected-versions
+    attributes:
+      label: Affected Versions
+      description: Which versions are affected by this vulnerability?
+      placeholder: |
+        - Version 0.1.x
+        - Version 0.2.x
+        - All versions
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction-steps
+    attributes:
+      label: Steps to Reproduce
+      description: How can this vulnerability be reproduced? (Do not include exploit code)
+      placeholder: |
+        1. Step one
+        2. Step two
+        3. Step three
+    validations:
+      required: true
+
+  - type: dropdown
+    id: severity
+    attributes:
+      label: Severity Level
+      description: What is the severity of this vulnerability?
+      options:
+        - Critical (Remote Code Execution, Data Breach)
+        - High (Privilege Escalation, Authentication Bypass)
+        - Medium (Information Disclosure, Denial of Service)
+        - Low (Minor security issues)
+    validations:
+      required: true
+
+  - type: textarea
+    id: impact
+    attributes:
+      label: Potential Impact
+      description: What could an attacker achieve with this vulnerability?
+      placeholder: Describe the potential impact without providing exploit details...
+    validations:
+      required: true
+
+  - type: textarea
+    id: suggested-fix
+    attributes:
+      label: Suggested Fix
+      description: Do you have any suggestions for fixing this vulnerability?
+      placeholder: Optional: Describe how this vulnerability could be fixed...
+
+  - type: checkboxes
+    id: disclosure-preference
+    attributes:
+      label: Disclosure Preference
+      description: How would you like this vulnerability to be disclosed?
+      options:
+        - label: I agree to coordinated disclosure (recommended)
+          required: false
+        - label: I prefer immediate public disclosure
+          required: false
+        - label: I would like to discuss disclosure timeline privately
+          required: false
+
+  - type: textarea
+    id: additional-info
+    attributes:
+      label: Additional Information
+      description: Any additional information that might be helpful?
+      placeholder: References, related issues, etc...
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Terms
+      description: By submitting this report, you agree to the following
+      options:
+        - label: I have read and agree to the [Security Policy](SECURITY.md)
+          required: true
+        - label: I understand that this is a public repository and my report will be visible to others
+          required: true
+        - label: I will not use this vulnerability for malicious purposes
+          required: true
@@ -62,5 +62,59 @@ The security workflow implements multiple layers of protection:
 2. **Dependency Scanning**: Automatically checks for vulnerable dependencies
 3. **Secret Detection**: Prevents accidental exposure of API keys, passwords, and tokens
 4. **Rust-Specific Security**: Cargo audit checks for known vulnerabilities in Rust crates
+5. **Weekly Security Scans**: Automated vulnerability detection runs every Monday
+6. **Security Reporting**: Detailed security reports with vulnerability summaries
+7. **Dependency Updates**: Automated checking for outdated dependencies
 
 All security checks must pass before code can be merged into the main branch.
+
+### Enhanced Security Workflows
+
+#### Security Scan (`security-scan.yml`)
+- **CodeQL Analysis**: Static Application Security Testing (SAST)
+- **Dependency Review**: Scans dependencies for known vulnerabilities (PRs only)
+- **Secrets Scan**: Detects accidentally committed secrets using Gitleaks
+- **Cargo Audit**: Checks Rust dependencies for security vulnerabilities
+- **Dependency Check**: Identifies outdated dependencies
+- **Security Summary**: Comprehensive security status report
+
+#### Dependency Update (`dependency-update.yml`)
+- **Weekly Updates**: Automated dependency update checking
+- **Security Alerts**: Creates issues for security vulnerabilities
+- **Critical Fixes**: Automated fixing of critical vulnerabilities
+- **Update Reports**: Detailed reports on outdated dependencies
+
+### Security Tools
+
+The project includes several security tools and scripts:
+
+- **`scripts/fix-vulnerabilities.sh`**: Bash script to fix known vulnerabilities
+- **`scripts/fix-vulnerabilities.ps1`**: PowerShell script for Windows users
+- **`SECURITY.md`**: Comprehensive security policy and vulnerability tracking
+- **Issue Templates**: Structured reporting for security vulnerabilities
+
+### Known Vulnerabilities
+
+Current vulnerabilities being tracked:
+
+1. **tracing-subscriber 0.3.19** → **Fixed** (upgraded to 0.3.20)
+2. **adler 1.0.2** → **Planned** (replace with adler2)
+3. **atty 0.2.14** → **Planned** (replace with is-terminal)
+4. **net2 0.2.39** → **Planned** (replace with socket2)
+5. **paste 1.0.15** → **Planned** (replace with paste-next)
+6. **proc-macro-error 1.0.4** → **Planned** (replace with proc-macro-error-attr)
+
+### Running Security Fixes
+
+To fix vulnerabilities manually:
+
+```bash
+# On Unix/Linux/macOS
+./scripts/fix-vulnerabilities.sh
+
+# On Windows (PowerShell)
+.\scripts\fix-vulnerabilities.ps1
+
+# Dry run to see what would be changed
+.\scripts\fix-vulnerabilities.ps1 -DryRun
+```