feat(security): establish ML security and governance framework

- Add MIT License for open source compatibility and broader adoption
- Implement comprehensive SECURITY.md with ML-specific security guidelines
- Create .github/SECURITY.md template for GitHub security issue reporting
- Add extensive .gitignore for ML/AI development security best practices

ML Security features:
- Model integrity verification with SHA-256 checksums
- Adversarial robustness testing and bias detection protocols
- Data privacy and anonymization procedures for training datasets
- LGPD compliance for sensitive government data handling
- Secure model serving and deployment guidelines

Development security enhancements:
- Protection against accidental commit of model artifacts and datasets
- Security patterns for ML pipelines and training infrastructure
- Comprehensive coverage of ML/AI specific files and directories
- Support for MLOps tools (MLflow, Weights & Biases, DVC)

.github/SECURITY.md

@@ -0,0 +1,39 @@
+# 🔒 Security Policy
+
+## 🚨 Reporting Security Vulnerabilities
+
+**Do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them by email to: **security@cidadao.ai**
+
+Please include the following information:
+- Description of the vulnerability
+- Affected models or components
+- Steps to reproduce
+- Potential impact on model security
+- Data samples (if safe to share)
+- Suggested fix (if any)
+
+## 📋 Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+
+## 🛡️ ML Security Features
+
+- Model integrity verification (SHA-256)
+- Adversarial robustness testing
+- Data privacy and anonymization
+- Secure model serving
+- Bias detection and mitigation
+- LGPD compliance for training data
+
+## 📞 Contact
+
+- **Security Team**: security@cidadao.ai
+- **ML Security**: ml-security@cidadao.ai
+- **Response Time**: Within 48 hours
+- **Coordinated Disclosure**: We practice responsible disclosure
+
+For more details, see our full [SECURITY.md](../SECURITY.md) file.

.gitignore

@@ -0,0 +1,271 @@
+# Cidadão.AI Models - .gitignore
+# Machine Learning and MLOps specific gitignore
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# ML/AI Specific Files
+# ===================
+
+# Model artifacts
+models/
+*.pkl
+*.joblib
+*.h5
+*.hdf5
+*.pb
+*.pth
+*.pt
+*.onnx
+*.tflite
+*.mlmodel
+*.coreml
+
+# Large datasets
+datasets/
+data/
+*.csv
+*.json
+*.parquet
+*.feather
+*.hdf
+*.h5
+
+# Training artifacts
+logs/
+runs/
+experiments/
+checkpoints/
+artifacts/
+outputs/
+
+# MLflow
+mlruns/
+mlflow.db
+.mlflow/
+
+# Weights & Biases
+wandb/
+
+# TensorBoard
+tensorboard/
+tb_logs/
+
+# DVC (Data Version Control)
+.dvc/
+.dvcignore
+
+# Jupyter notebook outputs
+*checkpoint.ipynb
+
+# Large files that shouldn't be in git
+*.zip
+*.tar.gz
+*.rar
+*.7z
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Security
+.secrets/
+secrets.yaml
+secrets.json
+*.key
+*.pem
+*.crt
+*.p12
+*.pfx
+
+# Docker
+.dockerignore
+docker-compose.override.yml
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+*.temp
+
+# HuggingFace cache
+.cache/
+transformers_cache/
+
+# Custom model configs that may contain secrets
+*config.secret.yaml
+*config.secret.json
+*config.local.yaml
+*config.local.json
+
+# Training data that may be sensitive
+training_data/
+raw_data/
+sensitive_data/
+
+# Model evaluation reports (may contain sensitive info)
+evaluation_reports/
+performance_reports/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Anderson Henrique da Silva
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

SECURITY.md

@@ -0,0 +1,212 @@
+# 🔒 Security Policy - Cidadão.AI Models
+
+## 📋 Overview
+
+This document outlines the security practices and vulnerability disclosure process for the Cidadão.AI Models repository, which contains machine learning models and MLOps infrastructure for government transparency analysis.
+
+## ⚠️ Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+
+## 🛡️ Security Features
+
+### ML Model Security
+- **Model Integrity**: SHA-256 checksums for all model artifacts
+- **Supply Chain Security**: Verified model provenance and lineage
+- **Input Validation**: Robust validation of all model inputs
+- **Output Sanitization**: Safe handling of model predictions
+- **Adversarial Robustness**: Testing against adversarial attacks
+
+### Data Security
+- **Data Privacy**: Personal data anonymization in training datasets
+- **LGPD Compliance**: Brazilian data protection law compliance
+- **Secure Storage**: Encrypted storage of sensitive training data
+- **Access Controls**: Role-based access to model artifacts
+- **Audit Trails**: Complete logging of model training and deployment
+
+### Infrastructure Security
+- **Container Security**: Secure Docker images with minimal attack surface
+- **Dependency Scanning**: Regular vulnerability scanning of Python packages
+- **Secret Management**: Secure handling of API keys and model credentials
+- **Network Security**: Encrypted communications for all model serving
+- **Environment Isolation**: Separate environments for training and production
+
+## 🚨 Reporting Security Vulnerabilities
+
+### How to Report
+1. **DO NOT** create a public GitHub issue for security vulnerabilities
+2. Send an email to: **security@cidadao.ai** (or andersonhs27@gmail.com)
+3. Include detailed information about the vulnerability
+4. We will acknowledge receipt within 48 hours
+
+### What to Include
+- Description of the vulnerability
+- Affected models or components
+- Steps to reproduce the issue
+- Potential impact on model performance or security
+- Data samples (if safe to share)
+- Suggested remediation (if available)
+- Your contact information
+
+### Response Timeline
+- **Initial Response**: Within 48 hours
+- **Investigation**: 1-7 days depending on severity
+- **Model Retraining**: 1-14 days if required
+- **Deployment**: 1-3 days after fix verification
+- **Public Disclosure**: After fix is deployed (coordinated disclosure)
+
+## 🛠️ Security Best Practices
+
+### Model Development Security
+```python
+# Example secure model loading
+import hashlib
+import pickle
+
+def secure_model_load(model_path, expected_hash):
+    """Safely load model with integrity verification"""
+    with open(model_path, 'rb') as f:
+        model_data = f.read()
+    
+    # Verify model integrity
+    model_hash = hashlib.sha256(model_data).hexdigest()
+    if model_hash != expected_hash:
+        raise SecurityError("Model integrity check failed")
+    
+    return pickle.loads(model_data)
+```
+
+### Data Handling Security
+```python
+# Example data anonymization
+def anonymize_government_data(data):
+    """Remove or hash personally identifiable information"""
+    # Remove CPF, names, addresses
+    # Hash vendor IDs
+    # Preserve analytical utility while protecting privacy
+    return anonymized_data
+```
+
+### Deployment Security
+```bash
+# Security checks before model deployment
+pip audit                           # Check for vulnerable dependencies
+bandit -r src/                     # Security linting
+safety check                       # Known security vulnerabilities
+docker scan cidadao-ai-models:latest # Container vulnerability scan
+```
+
+## 🔍 Security Testing
+
+### Model Security Testing
+- **Adversarial Testing**: Robustness against adversarial examples
+- **Data Poisoning**: Detection of malicious training data
+- **Model Extraction**: Protection against model stealing attacks
+- **Membership Inference**: Privacy testing for training data
+- **Fairness Testing**: Bias detection across demographic groups
+
+### Infrastructure Testing
+- **Penetration Testing**: Regular security assessments
+- **Dependency Scanning**: Automated vulnerability detection
+- **Container Security**: Image scanning and hardening
+- **API Security**: Authentication and authorization testing
+- **Network Security**: Encryption and secure communications
+
+## 🎯 Model-Specific Security Considerations
+
+### Corruption Detection Models
+- **False Positive Impact**: Careful calibration to minimize false accusations
+- **Bias Prevention**: Regular testing for demographic and regional bias
+- **Transparency**: Explainable AI for all corruption predictions
+- **Audit Trail**: Complete logging of all corruption detections
+
+### Anomaly Detection Models
+- **Threshold Management**: Secure configuration of anomaly thresholds
+- **Feature Security**: Protection of sensitive features from exposure
+- **Model Drift**: Monitoring for performance degradation over time
+- **Validation**: Human expert validation of anomaly predictions
+
+### Natural Language Models
+- **Text Sanitization**: Safe handling of government document text
+- **Information Extraction**: Secure extraction without data leakage
+- **Language Security**: Protection against prompt injection attacks
+- **Content Filtering**: Removal of personally identifiable information
+
+## 📊 Privacy and Ethics
+
+### Data Privacy
+- **Anonymization**: Personal data removed or hashed in all models
+- **Minimal Collection**: Only necessary data used for model training
+- **Retention Limits**: Training data deleted after model deployment
+- **Access Logs**: Complete audit trail of data access
+- **Consent Management**: Respect for data subject rights under LGPD
+
+### Ethical AI
+- **Fairness**: Regular bias testing and mitigation
+- **Transparency**: Explainable predictions for all model outputs
+- **Accountability**: Clear responsibility for model decisions
+- **Human Oversight**: Human review required for high-impact predictions
+- **Social Impact**: Assessment of model impact on society
+
+## 📞 Contact Information
+
+### Security Team
+- **Primary Contact**: security@cidadao.ai
+- **ML Security**: ml-security@cidadao.ai (or andersonhs27@gmail.com)
+- **Data Privacy**: privacy@cidadao.ai (or andersonhs27@gmail.com)
+- **Response SLA**: 48 hours for critical model security issues
+
+### Emergency Contact
+For critical security incidents affecting production models:
+- **Email**: security@cidadao.ai (Priority: CRITICAL)
+- **Subject**: [URGENT ML SECURITY] Brief description
+
+## 🔬 Model Governance
+
+### Model Registry Security
+- **Version Control**: Secure versioning of all model artifacts
+- **Access Control**: Role-based access to model registry
+- **Audit Logging**: Complete history of model updates
+- **Approval Process**: Required approval for production deployments
+
+### Monitoring and Alerting
+- **Performance Monitoring**: Real-time model performance tracking
+- **Security Monitoring**: Detection of anomalous model behavior
+- **Data Drift Detection**: Monitoring for changes in input distributions
+- **Alert System**: Immediate notification of security incidents
+
+## 📚 Security Resources
+
+### ML Security Documentation
+- [OWASP Machine Learning Security Top 10](https://owasp.org/www-project-machine-learning-security-top-10/)
+- [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework)
+- [Google ML Security Best Practices](https://cloud.google.com/architecture/mlops-continuous-delivery-and-automation-pipelines-in-machine-learning)
+
+### Security Tools
+- **Model Scanning**: TensorFlow Privacy, PyTorch Security
+- **Data Validation**: TensorFlow Data Validation (TFDV)
+- **Bias Detection**: Fairness Indicators, AI Fairness 360
+- **Adversarial Testing**: Foolbox, CleverHans
+
+## 🔄 Incident Response
+
+### Model Security Incidents
+1. **Immediate Response**: Isolate affected models from production
+2. **Assessment**: Evaluate impact and scope of security breach
+3. **Containment**: Prevent further damage or data exposure
+4. **Investigation**: Determine root cause and affected systems
+5. **Recovery**: Retrain or redeploy secure models
+6. **Post-Incident**: Review and improve security measures
+
+### Communication Plan
+- **Internal**: Immediate notification to security team and stakeholders
+- **External**: Coordinated disclosure to affected users and regulators
+- **Public**: Transparent communication about resolved issues
+
+---
+
+**Note**: This security policy is reviewed quarterly and updated as needed. Last updated: January 2025.
+
+For questions about this security policy, contact: security@cidadao.ai