feat: add issue templates + fix CI

.github/workflows/ci.yml

@@ -24,6 +24,9 @@ jobs:
           args: >-
             --verbose
             --no-progress
-            --exclude-mail
+            --exclude 'competitive\.md'
+            --exclude 'roadmap\.md'
+            --exclude 'orbitstream-sdk'
+            --exclude 'docs/contributing\.md'
             '**/*.md'
           fail: true

.lycheeignore

@@ -0,0 +1,3 @@
+competitive\.md
+roadmap\.md
+https://github\.com/OrbitStream/orbitstream-sdk

.markdownlint.json

@@ -0,0 +1,12 @@
+{
+  "line-length": false,
+  "blanks-around-lists": false,
+  "blanks-around-fences": false,
+  "blanks-around-tables": false,
+  "blanks-around-headings": false,
+  "no-bare-urls": false,
+  "fenced-code-language": false,
+  "table-column-style": false,
+  "single-title": false,
+  "no-trailing-spaces": false
+}

security/threat-model.md

@@ -3,101 +3,122 @@
 ## Payment Detection
 
 ### Threat: Fake Payment Notification
+
 **Attack:** Attacker sends a payment notification with a spoofed memo to claim a session.
 **Mitigation:** Backend verifies payments by querying Horizon directly. Never trust client-reported payment data.
 
 ### Threat: Double-Spend
+
 **Attack:** Attacker submits a payment that gets reversed.
 **Mitigation:** Wait for Stellar's 5-second finality before confirming. Verify transaction success on Horizon.
 
 ### Threat: Memo Collision
+
 **Attack:** Two sessions get the same memo, causing misattribution.
 **Mitigation:** Memos are 16-character hex strings (64 bits). Collision probability is negligible.
 
 ## Webhooks
 
 ### Threat: Webhook Spoofing
+
 **Attack:** Attacker sends fake webhook events to merchant endpoint.
 **Mitigation:** All webhooks signed with HMAC-SHA256. Merchant must verify signature before processing.
 
 ### Threat: Webhook Replay
+
 **Attack:** Attacker replays a valid webhook.
 **Mitigation:** Timestamp included in signed payload. Merchant should reject events older than 5 minutes.
 
 ## API Keys
 
 ### Threat: Key Theft
+
 **Attack:** Attacker obtains merchant's API key.
 **Mitigation:** Keys shown once at creation. Merchant can revoke compromised keys. API key only allows session creation, not fund access.
 
 ### Threat: Brute Force
+
 **Attack:** Attacker tries to guess API keys.
 **Mitigation:** Keys are 48+ random hex characters. Rate limiting on all endpoints.
 
 ## Merchant Dashboard
 
 ### Threat: Wallet Impersonation
+
 **Attack:** Attacker connects a different wallet to access another merchant's dashboard.
 **Mitigation:** JWT is bound to wallet address. Dashboard only shows data for the authenticated wallet.
 
 ## SEP Protocol Integration
 
 ### Threat: SEP-10 Challenge Replay
+
 **Attack:** Attacker replays a captured SEP-10 challenge to impersonate a merchant.
 **Mitigation:** Challenge transactions include a nonce and are bound to OrbitStream's domain. Expired challenges are rejected.
 
 ### Threat: SEP-12 Data Leak
+
 **Attack:** KYC data intercepted during fiat settlement onboarding.
 **Mitigation:** KYC data is sent directly to the anchor's SEP-12 endpoint over TLS. OrbitStream never stores KYC documents.
 
 ### Threat: SEP-24 Iframe Phishing
+
 **Attack:** Merchant injects a malicious URL as the anchor iframe target.
 **Mitigation:** Anchor iframe URLs are fetched server-side from the anchor's TOML file. Merchants cannot inject arbitrary URLs.
 
 ### Threat: Malicious Anchor
+
 **Attack:** A fraudulent anchor intercepts fiat settlement funds.
 **Mitigation:** OrbitStream validates anchor TOML files and checks SEP compliance before enabling fiat settlement for an anchor.
 
 ## Muxed Accounts
 
 ### Threat: Muxed Account Spoofing
+
 **Attack:** Attacker creates a muxed account that routes to their own master account.
 **Mitigation:** Muxed accounts are derived from the merchant's Stellar account. Only the merchant's master account can authorize withdrawals.
 
 ### Threat: Session Hijacking via Muxed ID
+
 **Attack:** Attacker reuses a muxed account ID from a previous session.
 **Mitigation:** Muxed IDs are single-use and expire with the checkout session.
 
 ## Claimable Balances
 
 ### Threat: Premature Claim
+
 **Attack:** Seller claims funds before delivering goods.
 **Mitigation:** Claimable balance predicates enforce the timeout at the protocol level. No off-chain check needed.
 
 ### Threat: Double-Claim
+
 **Attack:** Claimant tries to claim the same balance twice.
 **Mitigation:** Stellar protocol guarantees a claimable balance can only be claimed once.
 
 ### Threat: Stale Balance
+
 **Attack:** Funds locked indefinitely in an unclaimed balance.
 **Mitigation:** Unclaimed balances are automatically returned to the creator after the predicate timeout.
 
 ## Built-in DEX
 
 ### Threat: Price Manipulation
+
 **Attack:** Attacker manipulates DEX order book to change the conversion rate mid-checkout.
 **Mitigation:** DEX prices are fetched at session creation. The quoted amount is locked for the session duration.
 
 ### Threat: Slippage
+
 **Attack:** DEX rate changes between quote and execution, causing the merchant to receive less than expected.
 **Mitigation:** Path payments use strict send/receive amounts. If the rate changes beyond a configurable threshold, the payment fails safely.
 
 ## Escrow Contract
 
 ### Threat: Premature Refund
+
 **Attack:** Buyer tries to refund before timeout.
 **Mitigation:** Contract checks `env.ledger().timestamp() < escrow.timeout_at` and rejects.
 
 ### Threat: Unauthorized Release
+
 **Attack:** Non-seller tries to release funds.
 **Mitigation:** `escrow.seller.require_auth()` enforced by Soroban.