# RFC 9116 — Security policy for IntelligencePro Knowledge Platform
#
# Spec: https://datatracker.ietf.org/doc/rfc9116/
# Renewed annually; dev-grade until production deployment.

Contact: mailto:security@ip.tekton.cc
Expires: 2027-05-10T00:00:00Z
Preferred-Languages: en
Canonical: https://ip.tekton.cc/.well-known/security.txt

# RFC 9116 §2.5.4 Contact-for-non-security routes:
# Automated-decision appeals (GDPR Art-22(3) human-review path)
# go to a SEPARATE mailbox so security disclosures and
# compliance appeals don't share triage:
#   appeals@ip.tekton.cc  — see /humans.txt §APPEALS for SLO + body

# Disclosure approach: coordinated disclosure preferred. Bugs in the
# economy (deposit/refund accounting, judgment-weight manipulation,
# manifest-signature forgery) are the highest-priority class. The
# platform's HMAC-SHA256 signing key is set via
# PROVENANCE_SIGNING_KEY env var; do not test against the
# default dev key in production-targeted contexts.

# Per RFC 9116, this declaration expires at the timestamp above and
# must be renewed annually; a renewal cron bumps the constant.