chore: guard audit and deny tooling

.github/workflows/ci.yml

@@ -108,3 +108,41 @@ jobs:
           cache-on-failure: true
       - name: cargo check --target wasm32v1-none (contracts)
         run: cargo check ${{ env.CONTRACTS }} --target wasm32v1-none
+
+  audit:
+    name: Security audit
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          cache: false
+      - name: Cache cargo registry and target
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-on-failure: true
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: make audit
+        run: make audit
+
+  deny:
+    name: Dependency policy
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          cache: false
+      - name: Cache cargo registry and target
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-on-failure: true
+      - name: Install cargo-deny
+        run: cargo install cargo-deny --locked
+      - name: make deny
+        run: make deny

CONTRIBUTING.md

@@ -0,0 +1,36 @@
+# Contributing
+
+Thanks for helping improve OrbitChain. This guide covers the local checks contributors should run before opening a pull request.
+
+## Prerequisites
+
+- Rust stable toolchain, managed by `rust-toolchain.toml`
+- `wasm32v1-none` target for Soroban contract builds
+- Soroban/Stellar CLI for deployment workflows
+- Security scan tools:
+
+```bash
+cargo install cargo-audit --locked
+cargo install cargo-deny --locked
+```
+
+## Local Workflow
+
+```bash
+make fmt
+make lint
+make test
+make audit
+make deny
+```
+
+`make audit` checks dependencies with `cargo-audit`. `make deny` checks license and dependency policy with `cargo-deny`.
+
+If either security tool is missing, the Makefile prints the exact `cargo install ... --locked` command and exits with a non-zero status before running the scan.
+
+## Pull Request Checklist
+
+- [ ] Run formatting, linting, and tests for the touched crates.
+- [ ] Run `make audit` and `make deny`, or explain why they were not run.
+- [ ] Update README or contract docs when behavior, commands, or contributor workflow changes.
+- [ ] Call out security-sensitive changes, especially auth, signatures, fund movement, or dependency policy updates.

Makefile

@@ -82,12 +82,20 @@ deploy-testnet: build-wasm
 
 # Run cargo-audit for vulnerability scanning
 audit:
+	@if ! command -v cargo-audit >/dev/null 2>&1; then \
+		echo "❌ cargo-audit not installed. Run 'cargo install cargo-audit --locked' then retry." >&2; \
+		exit 1; \
+	fi
 	@echo "🔒 Running security audit..."
 	cargo audit
 	@echo "✅ Security audit passed"
 
 # Run cargo-deny for license compliance
 deny:
+	@if ! command -v cargo-deny >/dev/null 2>&1; then \
+		echo "❌ cargo-deny not installed. Run 'cargo install cargo-deny --locked' then retry." >&2; \
+		exit 1; \
+	fi
 	@echo "📋 Checking license compliance..."
 	cargo deny check
 	@echo "✅ License check passed"
@@ -112,5 +120,7 @@ help:
 	@echo "  make sandbox-start  - Start local Stellar sandbox (requires Docker)"
 	@echo "  make deploy-sandbox - Deploy contract to local sandbox"
 	@echo "  make deploy-testnet - Deploy contract to Stellar testnet"
+	@echo "  make audit          - Run cargo-audit vulnerability scan"
+	@echo "  make deny           - Run cargo-deny policy checks"
 	@echo "  make optimize       - Optimize WASM with wasm-opt -Oz"
 	@echo "  make help           - Show this help message"

README.md

@@ -476,6 +476,13 @@ This project uses `cargo-audit` and `cargo-deny` to maintain high security stand
 
 ### Local Scans
 
+Install the scan tools before running the Makefile targets:
+
+```bash
+cargo install cargo-audit --locked
+cargo install cargo-deny --locked
+```
+
 You can run the security scans locally using the following commands:
 
 - **Check for vulnerabilities**:
@@ -507,6 +514,8 @@ If a license or ban policy violation is found:
 
 Security scans are automatically run on every push and pull request. CI will fail if any known vulnerabilities or policy violations are detected.
 
+The CI workflow installs `cargo-audit` and `cargo-deny` before invoking `make audit` and `make deny`, so missing binaries fail with the same actionable message contributors see locally.
+
 # 📜 License
 
 MIT License — free to use, modify, and distribute.