Add missing SPDX headers, security policy, and reduce dependency vulnerabilities

CONTRIBUTING.md

@@ -0,0 +1,208 @@
+# Contributing to Hedera EVM Testing
+
+Thank you for your interest in contributing to Hedera EVM Testing! This document provides guidelines and instructions for contributing to this project.
+
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [Getting Started](#getting-started)
+- [How to Contribute](#how-to-contribute)
+- [Development Workflow](#development-workflow)
+- [Coding Standards](#coding-standards)
+- [Testing Guidelines](#testing-guidelines)
+- [Pull Request Process](#pull-request-process)
+- [License](#license)
+
+## Code of Conduct
+
+This project adheres to the Hedera community code of conduct. By participating, you are expected to uphold this code.
+
+## Getting Started
+
+### Prerequisites
+
+- Node.js v22.15.0 or higher
+- npm
+- Git
+- For local testing: Docker, Kubernetes (kind), kubectl, and Solo
+
+### Setup
+
+1. Fork the repository
+2. Clone your fork:
+   ```bash
+   git clone https://github.com/YOUR_USERNAME/hedera-evm-testing.git
+   cd hedera-evm-testing
+   ```
+
+3. Install dependencies:
+   ```bash
+   # For system contract testing
+   cd system-contract-testing
+   npm ci
+
+   # For EVM gas schedule testing
+   cd ../evm-gas-schedule-compatibility-regression
+   npm install
+   ```
+
+## How to Contribute
+
+### Reporting Bugs
+
+- Check if the bug has already been reported in [Issues](https://github.com/hashgraph/hedera-evm-testing/issues)
+- If not, create a new issue with:
+  - Clear title and description
+  - Steps to reproduce
+  - Expected vs actual behavior
+  - Environment details (OS, Node version, etc.)
+  - Any relevant logs or screenshots
+
+### Suggesting Enhancements
+
+- Open an issue describing the enhancement
+- Explain why this enhancement would be useful
+- Provide examples if applicable
+
+### Security Vulnerabilities
+
+**Do not report security vulnerabilities through GitHub issues.** Please see our [Security Policy](SECURITY.md) for reporting instructions.
+
+## Development Workflow
+
+1. Create a new branch from `main`:
+   ```bash
+   git checkout -b feature/your-feature-name
+   ```
+
+2. Make your changes following our [coding standards](#coding-standards)
+
+3. Test your changes thoroughly
+
+4. Commit your changes with clear, descriptive commit messages:
+   ```bash
+   git commit -m "feat: add new test for HIP-XXX"
+   ```
+
+5. Push to your fork:
+   ```bash
+   git push origin feature/your-feature-name
+   ```
+
+6. Open a Pull Request
+
+## Coding Standards
+
+### JavaScript/Node.js
+
+- Use CommonJS module syntax (`require`/`module.exports`)
+- Follow existing code style and formatting
+- Use meaningful variable and function names
+- Add comments for complex logic
+- Include SPDX license header in all source files:
+  ```javascript
+  // SPDX-License-Identifier: Apache-2.0
+  ```
+
+### File Organization
+
+- Keep files focused and single-purpose
+- Place utilities in appropriate `utils/` directories
+- Follow existing directory structure
+
+### Dependencies
+
+- Minimize new dependencies
+- Justify any new dependencies in your PR description
+- Check for security vulnerabilities before adding dependencies
+- Keep dependencies up to date
+
+## Testing Guidelines
+
+### System Contract Testing
+
+Run tests using:
+```bash
+cd system-contract-testing
+npx hardhat test
+```
+
+For local testing with Solo:
+```bash
+npx hardhat test --network local
+```
+
+### EVM Gas Schedule Testing
+
+Run tests using:
+```bash
+cd evm-gas-schedule-compatibility-regression
+npm run test --executors=<executor-list>
+```
+
+### Writing Tests
+
+- Write clear, descriptive test names
+- Test both success and failure cases
+- Include comments explaining complex test scenarios
+- Ensure tests are deterministic and don't rely on external state
+- Clean up resources after tests
+
+## Pull Request Process
+
+1. **Before submitting:**
+   - Ensure all tests pass
+   - Update documentation if needed
+   - Add/update tests for your changes
+   - Follow the coding standards
+   - Rebase on latest `main` if needed
+
+2. **PR Description should include:**
+   - What changes were made and why
+   - Link to related issues
+   - Testing performed
+   - Any breaking changes
+   - Screenshots (if UI changes)
+
+3. **Review process:**
+   - At least one maintainer approval is required
+   - Address all review comments
+   - Keep PR scope focused and manageable
+   - Be responsive to feedback
+
+4. **After approval:**
+   - Maintainers will merge your PR
+   - Your contribution will be part of the next release
+
+## Commit Message Guidelines
+
+Use conventional commit format:
+
+- `feat:` - New feature
+- `fix:` - Bug fix
+- `docs:` - Documentation changes
+- `test:` - Adding or updating tests
+- `refactor:` - Code refactoring
+- `chore:` - Maintenance tasks
+- `style:` - Code style changes (formatting, etc.)
+
+Examples:
+```
+feat: add support for HIP-XXX system contract
+fix: resolve gas estimation issue in ERC20 tests
+docs: update README with Solo installation steps
+test: add integration tests for schedule transactions
+```
+
+## License
+
+By contributing to this project, you agree that your contributions will be licensed under the Apache License 2.0. All source files must include the Apache-2.0 SPDX license identifier.
+
+## Questions?
+
+If you have questions about contributing, feel free to:
+- Open a discussion in the repository
+- Ask in the Hedera Discord
+- Reach out to maintainers
+
+Thank you for contributing to Hedera EVM Testing! 🎉

KNOWN_ISSUES.md

@@ -0,0 +1,93 @@
+# Known Dependency Issues
+
+This document tracks known dependency vulnerabilities and issues in the repository.
+
+## Status
+
+Last updated: 2026-01-14
+
+### evm-gas-schedule-compatibility-regression
+
+**Remaining vulnerabilities:** 9 (8 low, 1 high)
+
+The following vulnerabilities remain after running `npm audit fix`:
+
+1. **elliptic** - Multiple security advisories
+   - Status: No fix available without breaking changes
+   - Impact: Development/testing only - not used in production
+   - Mitigation: Only used for testing purposes with known test keys
+   - Tracked via: @hashgraph/sdk dependency chain
+
+2. **glob** (v10.2.0 - 10.4.5) - Command injection via -c/--cmd
+   - Severity: High
+   - Status: Fix available via `npm audit fix`
+   - Note: Not directly used in production contexts
+
+### system-contract-testing
+
+**Note:** The system-contract-testing package has complex dependency chains with several known vulnerabilities in development dependencies:
+
+1. **elliptic** - Cryptographic implementation issues
+   - Impact: Testing environment only
+   - Used via @hashgraph/sdk, hardhat, and other testing tools
+   - Mitigation: Only test keys are used (never production keys)
+
+2. **cookie** - Out of bounds characters vulnerability
+   - Impact: Development tooling only (via hardhat/sentry)
+   - Not used in production deployments
+
+3. **@smithy/config-resolver** - Defense in depth enhancement
+   - Impact: Development dependency
+   - Used by AWS SDK in dev dependencies
+
+## Security Considerations
+
+### Test Keys Warning
+
+⚠️ **Important:** All private keys in this repository are for **TESTING ONLY** and are publicly documented. These keys should never be used in production environments.
+
+The following test keys are intentionally exposed in the codebase:
+- `TEST_ACCOUNT_ECDSA_PRIVATE_KEY_DER_1`: f70febf7420398c3892ce79fdc393c1a5487ad27
+- `TEST_ACCOUNT_ECDSA_PRIVATE_KEY_DER_2`: dbe82db504ca6701fbe59e638ceaddbdb691067b
+- `TEST_ACCOUNT_ECDSA_PRIVATE_KEY_DER_3`: 84b4d82e6ed64102d0faa6c29bf4e9f541db442f
+
+These are known test keys for local development and CI/CD testing only.
+
+## Recommendations
+
+1. **For Contributors:**
+   - Run `npm audit` before adding new dependencies
+   - Check the [GitHub Advisory Database](https://github.com/advisories) for new vulnerabilities
+   - Prefer dependencies with active maintenance and security updates
+
+2. **For Users:**
+   - Only use this repository for testing and development
+   - Never use test keys or configurations in production environments
+   - Keep dependencies updated by running `npm install` regularly
+
+3. **For Maintainers:**
+   - Review this document quarterly
+   - Update dependencies when security patches are available
+   - Monitor for breaking changes in dependency updates
+
+## Updating Dependencies
+
+To update dependencies safely:
+
+```bash
+# Check for updates
+npm outdated
+
+# Update to latest compatible versions
+npm update
+
+# For security fixes (may include breaking changes)
+npm audit fix --force
+
+# Verify tests still pass
+npm test
+```
+
+## Reporting New Issues
+
+If you discover a new security vulnerability, please follow our [Security Policy](SECURITY.md).

SECURITY.md

@@ -0,0 +1,56 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+The Hedera team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
+
+### How to Report
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report security vulnerabilities by emailing [security@hedera.com](mailto:security@hedera.com).
+
+You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
+
+Please include the following information in your report:
+
+- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Security Update Policy
+
+Security updates will be released as soon as possible after a vulnerability is confirmed and a fix is available.
+
+## Supported Versions
+
+We recommend using the latest version of the software to ensure you have the latest security updates.
+
+## Scope
+
+This security policy applies to the hedera-evm-testing repository and its associated projects:
+- System contracts testing
+- EVM gas schedule compatibility regression testing
+
+### Test Keys and Credentials
+
+Please note that private keys and credentials found in this repository are for **testing purposes only** and should never be used in production environments. These test keys are publicly known and documented in the codebase.
+
+## Security Best Practices
+
+When contributing to this repository:
+
+1. **Never commit production credentials** - Only use test credentials that are already documented
+2. **Keep dependencies updated** - Regularly check for and update vulnerable dependencies
+3. **Follow secure coding practices** - Review code for common vulnerabilities before submitting PRs
+4. **Use the latest versions** - Ensure you're using up-to-date versions of Node.js and other tools
+
+## Acknowledgments
+
+We appreciate the security research community's efforts in helping keep our projects secure.

evm-gas-schedule-compatibility-regression/config.js

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: Apache-2.0
+
 const get = function (parameter) {
     const valueArg = process.argv.find(arg => arg.startsWith(`--${parameter}=`)) || '';
     let value = valueArg.replace(`--${parameter}=`, '').split(',').filter(Boolean);