pm: operational PM artifacts — changelog, security policy, issue templates, PR template

[ksek87]

Summary

Adds the operational PM artifacts that signal this project is managed like a real product, not just built. Closes the gaps identified in the PM assessment against the fuzzd roadmap.

• CHANGELOG.md — full Keep-a-Changelog history from v0.1.0 through v0.11.0 with detection rate deltas per release (84.7% → 89.0% (+4.3pp)). Also includes two new response-phase signals (FUZZD-022 ResponseContextInvalidation, FUZZD-023 ForcedReexecution) in [Unreleased].
• SECURITY.md — responsible disclosure policy with scope definition (what's a vuln in fuzzd vs. the servers it scans), reporting channel, response SLA (72h ack / 14 days Critical patch), and hall of fame.
• CONTRIBUTING.md — standalone contribution guide with per-type workflows (corpus records, detection signals, infrastructure), benchmark delta requirement, and test infrastructure notes.
• .github/PULL_REQUEST_TEMPLATE.md — checklist enforcing cargo fmt/clippy/test, bench delta reporting, and source citation for corpus records.
• .github/ISSUE_TEMPLATE/bug_report.yml — structured bug report.
• .github/ISSUE_TEMPLATE/corpus_record.yml — domain-specific template requiring published source URL, attack category, injection point — signals understanding of fuzzd's contribution model.
• .github/ISSUE_TEMPLATE/feature_request.yml — includes benchmark impact section.
• README.md — Contributing section condensed with links to the new standalone files.

Also includes:

• Two new detection signals in the code (ResponseContextInvalidation FUZZD-022, ForcedReexecution FUZZD-023) merged from development
• Signal::ALL const — canonical ordered slice eliminating divergence in sarif_rules()
• Stable SARIF fingerprint hash (31-polynomial) fixing silent empty discriminator for all-Unicode matched text
• Performance: partition() single pass, HashSet::with_capacity, signal.as_str() static ref

Detection rate

Metric	Value
MCPTox actual recall	90.7% (485 tools, unchanged)
False positives	0 / 20 (unchanged)

GitHub updates

• Issue [v0.12] Neural embedding semantic layer — upgrade from TF-IDF #51: fixed milestone target (v0.11 → v0.12), added OKR table with KRs for Privacy Leakage (≥ 82%) and Message Hijacking (≥ 75%), removed stale "Blocked by feat(v0.10): TF-IDF semantic detection layer for domain-specific attack language #50" (v0.10 shipped)
• PR docs: split v0.10 semantic detection into TF-IDF (now) and neural embedding (v0.11) #57: added Closes #51 link
• PR feat(bench): add registry scanner — live tool enumeration from real MCP servers #63: added relation to roadmap issue Roadmap — fuzzd #26

Test plan

• Open a new issue — template picker shows 3 options (Bug report, Corpus record, Feature request)
• Open a draft PR — checklist appears in description
• View CHANGELOG.md — version history readable from v0.1.0 to current
• View SECURITY.md — disclosure policy visible
• cargo test passes
• ./bench/run.sh — detection rate unchanged

https://claude.ai/code/session_014T1x8ZiDbJcVvkZBfP91nk

---

Generated by Claude Code