some misc. updates

Author: fam007e

CONTRIBUTION.md

@@ -0,0 +1,77 @@
+# Contributing to SecurePassManager
+
+First off, thank you for considering contributing to SecurePassManager. It's people like you that make SecurePassManager such a great tool.
+
+## Code of Conduct
+
+By participating in this project, you are expected to uphold our Code of Conduct. Please report unacceptable behavior to [[email protected]](mailto:[email protected]).
+
+## How Can I Contribute?
+
+### Reporting Bugs
+
+This section guides you through submitting a bug report for SecurePassManager. Following these guidelines helps maintainers and the community understand your report, reproduce the behavior, and find related reports.
+
+**Before Submitting A Bug Report**
+
+* Check the [FAQ](docs/FAQ.md) for a list of common questions and problems.
+* Perform a [cursory search](https://github.com/fam007e/SecurePasswd_MGMT/issues) to see if the problem has already been reported. If it has and the issue is still open, add a comment to the existing issue instead of opening a new one.
+
+**How Do I Submit A (Good) Bug Report?**
+
+Bugs are tracked as [GitHub issues](https://github.com/fam007e/SecurePasswd_MGMT/issues). Create an issue using the [Bug Report](.github/ISSUE_TEMPLATE/bug_report.md) template and provide as much information as possible.
+
+### Suggesting Enhancements
+
+This section guides you through submitting an enhancement suggestion for SecurePassManager, including completely new features and minor improvements to existing functionality.
+
+**Before Submitting An Enhancement Suggestion**
+
+* Check if there's already a feature which provides that enhancement.
+* Perform a [cursory search](https://github.com/fam007e/SecurePasswd_MGMT/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one.
+
+**How Do I Submit A (Good) Enhancement Suggestion?**
+
+Enhancement suggestions are tracked as [GitHub issues](https://github.com/fam007e/SecurePasswd_MGMT/issues). Create an issue using the [Feature Request](.github/ISSUE_TEMPLATE/feature_request.md) template and provide as much information as possible.
+
+### Pull Requests
+
+* Fill in [the required template](.github/PULL_REQUEST_TEMPLATE.md)
+* Do not include issue numbers in the PR title
+* Include screenshots and animated GIFs in your pull request whenever possible.
+* Follow the [C style guide](https://google.github.io/styleguide/cguide.html).
+* End all files with a newline
+
+## Styleguides
+
+### Git Commit Messages
+
+* Use the present tense ("Add feature" not "Added feature")
+* Use the imperative mood ("Move cursor to..." not "Moves cursor to...")
+* Limit the first line to 72 characters or less
+* Reference issues and pull requests liberally after the first line
+
+### C Styleguide
+
+All C code must adhere to the [Google C Style Guide](https://google.github.io/styleguide/cguide.html).
+
+## Additional Notes
+
+### Issue and Pull Request Labels
+
+This section lists the labels we use to help us track and manage issues and pull requests. These labels are automatically applied by our issue templates.
+
+* `bug` - Issues that are bugs.
+* `enhancement` - Issues that are feature requests.
+* `documentation` - Issues or pull requests related to documentation.
+* `good first issue` - Good for newcomers.
+
+## Getting Help
+
+If you need help, you can ask questions on the [issue tracker](https://github.com/fam007e/SecurePasswd_MGMT/issues). You can use slash commands in issues and pull requests as defined in our [issue-slash-cmd.yml](.github/workflows/issue-slash-cmd.yml) workflow.
+
+## Release Process
+
+Our release process is automated through the [release.yml](.github/workflows/release.yml) workflow. This process is triggered on pushes to the main branch that modify files in the `src/` directory or the `Makefile`.
+
+Thank you for contributing to SecurePassManager!

README.md

@@ -4,9 +4,9 @@
 
 SecurePassManager is a robust, command-line password manager and two-factor authenticator (TOTP) designed with security and ease of use in mind. It provides a secure solution for managing passwords and 2FA tokens locally, ensuring your sensitive data remains protected and easily accessible.
 
-![Version](https://img.shields.io/badge/version-1.0.0-blue.svg)
+![Version](https://img.shields.io/github/v/release/fam007e/SecurePasswd_MGMT?style=flat-square)
 ![License](https://img.shields.io/badge/license-MIT-green.svg)
-![Build Status](https://img.shields.io/badge/build-passing-brightgreen.svg)
+![Build Status](https://img.shields.io/github/workflow/status/yourusername/SecurePasswd_MGMT/C%20CI%20and%20Release?style=flat-square)
 
 ## Table of Contents
 
@@ -17,11 +17,10 @@ SecurePassManager is a robust, command-line password manager and two-factor auth
 5. [Security](#security)
 6. [Project Structure](#project-structure)
 7. [Contributing](#contributing)
-8. [Testing](#testing)
-9. [License](#license)
-10. [Disclaimer](#disclaimer)
-11. [Support](#support)
-12. [Acknowledgments](#acknowledgments)
+8. [License](#license)
+9. [Disclaimer](#disclaimer)
+10. [Support](#support)
+11. [Acknowledgments](#acknowledgments)
 
 ## Features
 
@@ -54,7 +53,7 @@ Ensure you have the required libraries installed:
 #### Ubuntu/Debian:
 ```bash
 sudo apt-get update
-sudo apt-get install gcc libssl-dev liboath-dev
+sudo apt-get install build-essential libssl-dev oathtool liboath0 liboath-dev
 ```
 
 #### macOS (using Homebrew):
@@ -80,11 +79,6 @@ sudo pacman -S gcc openssl oath-toolkit
    make
    ```
 
-3. (Optional) Run tests:
-   ```bash
-   make test
-   ```
-
 The compiled binary `securepass` will be created in the project root directory.
 
 ## Usage
@@ -101,8 +95,6 @@ Follow the on-screen prompts to:
 - Generate TOTP codes
 - Import or export password data
 
-For detailed usage instructions, refer to the [User Manual](docs/USER_MANUAL.md).
-
 ## Security
 
 - **Encryption**: AES-256 encryption for all stored data
@@ -115,45 +107,33 @@ For a detailed security analysis, see our [Security Policy](SECURITY.md).
 ## Project Structure
 
 ```
-SecurePasswd_MGMT/
-├── src/
-│   ├── main.c
-│   ├── encryption.c
-│   ├── csv_handler.c
-│   ├── totp.c
-│   └── utils.c
-├── include/
-│   ├── encryption.h
-│   ├── csv_handler.h
-│   ├── totp.h
-│   └── utils.h
-├── tests/
-│   └── test_main.c
-├── data/
-│   └── README.md
-├── lib/
-│   └── README.md
-├── docs/
-│   └── USER_MANUAL.md
+SecurePasswd_MGMT
+├── data
+│  └── README.md
+├── lib
+│  ├── liboath
+│  │  └── oath.h
+│  └── README.md
+├── LICENSE
 ├── Makefile
 ├── README.md
-├── LICENSE
-├── CONTRIBUTING.md
-└── SECURITY.md
+└── src
+   ├── csv_handler.c
+   ├── csv_handler.h
+   ├── encryption.c
+   ├── encryption.h
+   ├── main.c
+   ├── totp.c
+   ├── totp.h
+   ├── utils.c
+   ├── utils.h
+   └── version.h
+
 ```
 
 ## Contributing
 
-We welcome contributions to SecurePassManager! Please read our [Contributing Guidelines](CONTRIBUTING.md) for details on our code of conduct and the process for submitting pull requests.
-
-## Testing
-
-Run the test suite with:
-```bash
-make test
-```
-
-For more information on testing, see [TESTING.md](TESTING.md).
+We welcome contributions to SecurePassManager! Please read our [Contributing Guidelines](CONTRIBUTION.md) for details on our code of conduct and the process for submitting pull requests.
 
 ## License
 

SECURITY.md

@@ -0,0 +1,125 @@
+# Security Policy
+
+## Supported Versions
+
+SecurePassManager is currently in its initial release phase. We are committed to providing security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2024.10.01.01 | :white_check_mark: |
+| < 2024.10.01.00 | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of SecurePassManager seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
+
+### Reporting Process
+
+1. **Do not report security vulnerabilities through public GitHub issues.**
+
+2. Please send an email to [@securepassmanager](mailto:[email protected]) with the subject line "SecurePassManager Security Vulnerability".
+
+3. Include the following details in your report:
+   - Type of issue (e.g., buffer overflow, encryption weakness, etc.)
+   - Full paths of source file(s) related to the issue
+   - The location of the affected source code (tag/branch/commit or direct URL)
+   - Any special configuration required to reproduce the issue
+   - Step-by-step instructions to reproduce the issue
+   - Proof-of-concept or exploit code (if possible)
+   - Impact of the issue, including how an attacker might exploit it
+
+4. Allow up to 48 hours for an initial response to your report.
+
+### What to expect
+
+- A response acknowledging your report within 48 hours.
+- An evaluation of the reported vulnerability.
+- A plan for addressing the vulnerability, if confirmed.
+- A public disclosure after the vulnerability has been addressed.
+
+We appreciate your efforts and will make every effort to acknowledge your contributions.
+
+## Security Measures in SecurePassManager
+
+SecurePassManager implements the following security measures:
+
+### Encryption
+
+- AES-256 encryption in GCM mode for all stored data.
+- Encryption keys are derived from the user's master password using a secure key derivation function.
+
+### Key Derivation
+
+- PBKDF2-HMAC-SHA256 with a minimum of 100,000 iterations.
+- A unique salt is generated for each user to prevent rainbow table attacks.
+
+### Memory Protection
+
+- Sensitive data (e.g., master password, encryption keys) is securely wiped from memory after use.
+- We use `mlock()` to prevent sensitive memory pages from being swapped to disk.
+
+### Input Validation and Sanitization
+
+- All user inputs are validated and sanitized to prevent injection attacks and buffer overflows.
+- We use prepared statements for any operations involving user input.
+
+### Local Operation
+
+- SecurePassManager operates entirely locally, with no network communication, eliminating risks associated with data transmission.
+
+### Secure Random Number Generation
+
+- We use cryptographically secure random number generators (provided by OpenSSL) for all security-critical operations.
+
+### Version Control and Code Signing
+
+- All releases are tagged and signed with GPG keys.
+- We provide checksums for all released binaries.
+
+## Best Practices for Users
+
+To maximize security when using SecurePassManager:
+
+1. Use a strong, unique master password (we recommend at least 16 characters).
+2. Never share your master password or store it in plain text.
+3. Regularly update to the latest version of SecurePassManager.
+4. Use full-disk encryption on your device.
+5. Be cautious when exporting password data and securely delete any exported files when no longer needed.
+
+## Third-Party Libraries
+
+SecurePassManager uses the following third-party libraries:
+
+- OpenSSL 3.3.0 or later: For cryptographic operations
+- liboath 2.6.7 or later: For TOTP functionality
+
+We monitor these dependencies for security updates and incorporate them promptly.
+
+## Security Audits
+
+We are open to independent security audits. If you're interested in conducting a security audit, please contact us at [[email protected]](mailto:[email protected]).
+
+## Threat Model
+
+SecurePassManager is designed to protect against:
+
+1. Unauthorized access to the password database file
+2. Memory dumping attacks
+3. Brute-force attacks on the master password
+4. Tampering with the application binary
+
+It does not protect against:
+
+1. Malware on the user's system
+2. Physical access to the user's unlocked device
+3. Weakness of individual passwords stored in the database
+
+## Disclaimer
+
+While we strive for the highest level of security, no system is 100% secure. Users should use SecurePassManager as part of a comprehensive security strategy.
+
+---
+
+This security policy is subject to change. Please check regularly for updates.
+
+Last updated: [2024.10.01]

src/main.c

@@ -177,4 +177,4 @@ int main(int argc, char *argv[]) {
     }
 
     return 0;
-}
+}