badhope · badhope · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
@@ -1,12 +1,22 @@
-# Code owners: auto-assign reviewers for pull requests.
-# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+# CODEOWNERS — default review ownership
+# badhope is the sole owner; replace with team handles in a
+# multi-maintainer setup.
 
-# Default owner for everything in the repo.
+# Default: everything
 *       @badhope
 
-# Security-sensitive files get an explicit owner reminder.
-/SECURITY.md         @badhope
-/.github/workflows/  @badhope
-/.gitleaks.toml      @badhope
-/.github/dependabot.yml @badhope
-/CODEOWNERS          @badhope
+# GitHub configuration
+/.github/        @badhope
+
+# Documentation
+/docs/           @badhope
+/README.md       @badhope
+/CHANGELOG.md    @badhope
+
+# Build / release config
+/package.json    @badhope
+/uv.lock         @badhope
+/package-lock.json @badhope
+/pnpm-lock.yaml  @badhope
+/Cargo.toml      @badhope
+/Cargo.lock      @badhope
@@ -0,0 +1,63 @@
+# Contributing
+
+Thanks for your interest in contributing! This document covers the
+ground rules so your PR can land quickly and cleanly.
+
+## Branch & PR workflow
+
+> **Direct pushes to `main` are blocked by branch protection.**
+
+1. **Fork** (or create a feature branch if you have write access).
+2. **Branch off `main`**: `git switch -c feat/short-description`
+3. **Make focused commits** following
+   [Conventional Commits](https://www.conventionalcommits.org/):
+   - `feat: …`        — new feature
+   - `fix: …`         — bug fix
+   - `refactor: …`    — no behaviour change
+   - `docs: …`        — documentation only
+   - `chore(deps): …` — dependency bumps
+   - `security: …`    — security fix
+4. **Push your branch**: `git push -u origin feat/short-description`
+5. **Open a Pull Request** against `main`. Fill in the PR template.
+6. **Wait for CI** (gitleaks + CodeQL on every repo that has code).
+7. **Squash-merge** is the default. One commit per logical change.
+   The merge commit subject will become the PR title.
+
+## Code style
+
+- Match the existing style of the file you are editing.
+- Keep diffs minimal — don't reformat unrelated code.
+- Add tests for new behaviour. Bug fixes should add a regression test
+  that fails on `main` and passes on your branch.
+- No dead code, no commented-out code, no orphan TODO comments.
+
+## Security
+
+- **Never commit secrets, tokens, API keys, or `.env` files.**
+  Push-protection is on; if you bypass it, **rotate the credential**.
+  See [SECURITY.md](./SECURITY.md).
+- Don't paste stack traces that contain real user data in issues.
+- If you find a vulnerability, follow the
+  [private disclosure process](./SECURITY.md) — do not open a public
+  issue.
+
+## Dependencies
+
+- Dependabot opens weekly PRs for all package ecosystems detected
+  in the repo (npm, pip, cargo, docker, github-actions, gitsubmodule,
+  composer, gomod, bundler, nuget, maven, gradle).
+- Dependabot PRs are auto-mergeable when CI passes — they do not need
+  a review from a human (the branch is signed and the diff is small).
+- Major-version bumps that touch lockfiles will be reviewed manually.
+
+## Issue triage
+
+- New issues are auto-labelled **bug** / **enhancement** / **security**
+  via the issue templates.
+- Please use the right template. Issues without a template take longer
+  to triage.
+
+## License
+
+By submitting a contribution, you agree that your work will be
+licensed under the same license as the repository.
@@ -1,38 +1,40 @@
 ---
 name: Bug report
-about: Something on the deployed site or in the data is broken
+about: Something is broken
 title: "[bug] "
-labels: ["bug", "needs-triage"]
-assignees: []
+labels: bug
+assignees: badhope
 ---
 
-## What happened
+## Describe the bug
 
-A clear, one-sentence description of the bug.
+<!-- A clear and concise description of what the bug is. -->
 
-## Steps to reproduce
+## To reproduce
 
-1. Go to '…'
-2. Click on '…'
-3. See '…'
+```bash
+# Minimal reproduction steps
+```
 
 ## Expected behaviour
 
-What you expected to happen.
+<!-- What you expected to happen. -->
 
 ## Actual behaviour
 
-What actually happened. Include screenshots / copy-pasted error text /
-relevant snippets from the browser dev-tools console or Network tab.
+<!-- What actually happened. Include stack traces, error messages,
+screenshots. -->
 
 ## Environment
 
-- Page URL (e.g. `https://badhope.github.io/API-Market/stats/`)
-- Browser + version
-- Device (desktop / mobile, OS)
-- Does the issue reproduce in a private / incognito window?
+- OS: <!-- e.g. macOS 14.4 -->
+- Runtime version: <!-- e.g. Node 20.11, Python 3.11 -->
+- Package version: <!-- git rev-parse HEAD, or npm/pip version -->
+- Date observed: <!-- 2026-06-10 -->
 
-## Possible cause
+## Severity
 
-Optional — if you've already traced the problem to a file, route, or
-query parameter, mention it here.
+- [ ] Blocker — production is down
+- [ ] High — feature unusable
+- [ ] Medium — workaround exists
+- [ ] Low — cosmetic
@@ -1,35 +1,25 @@
 ---
 name: Feature request
-about: Suggest an improvement to the platform, the site, or the data
-title: "[feature] "
-labels: ["enhancement", "needs-triage"]
-assignees: []
+about: Suggest an idea
+title: "[feat] "
+labels: enhancement
+assignees: badhope
 ---
 
-## Summary
+## Problem
 
-One-paragraph description of the feature.
-
-## Motivation
-
-What problem does this solve? Who is it for? Is there a workaround
-today?
+<!-- What's the underlying problem or gap? -->
 
 ## Proposed solution
 
-How would you like this to work? Mockups / ASCII sketches / example
-URLs are very welcome.
+<!-- Describe the feature you'd like. -->
 
 ## Alternatives considered
 
-Other approaches you've thought about, and why you prefer the one
-above.
+<!-- Other ways you thought about solving this. -->
 
-## Scope
+## Willingness to contribute
 
-- [ ] Frontend only (`frontend/src/`)
-- [ ] Backend only (`backend/api_market/`)
-- [ ] Data pipeline (`pipeline/collector.py` / `scripts/`)
-- [ ] Static export / GitHub Pages deployment
-- [ ] Documentation / translations
-- [ ] Not sure — happy to discuss
+- [ ] I would submit a PR for this
+- [ ] I would test a PR for this
+- [ ] I would only discuss / design
@@ -0,0 +1,39 @@
+---
+name: Security report
+about: Report a vulnerability (PRIVATE)
+title: "[security] "
+labels: security
+assignees: badhope
+---
+
+> **Please do not disclose the vulnerability in a public issue.**
+> Use this private channel and the repository owner will respond within
+> 7 days. If you cannot wait, email the security contact listed in
+> [SECURITY.md](./SECURITY.md).
+
+## Summary
+
+<!-- One-paragraph summary of the vulnerability. -->
+
+## Affected component(s)
+
+- File(s):
+- Function(s) / endpoint(s):
+- Version / commit SHA:
+
+## Severity (your estimate)
+
+- [ ] Critical
+- [ ] High
+- [ ] Medium
+- [ ] Low
+
+## Reproduction
+
+```bash
+# Minimal steps / payload
+```
+
+## Impact
+
+<!-- What an attacker can do. -->
@@ -1,27 +1,36 @@
 ## What
 
-<!-- One line: what this PR does -->
+<!-- One-paragraph description of the change. -->
 
 ## Why
 
-<!-- The reason. What problem does this fix / what value does it add? -->
+<!-- Motivation. Link any issue this PR fixes (Fixes #123). -->
 
 ## How
 
-<!-- Approach, breaking changes, anything weird you did -->
+<!-- Approach: list the changes, files touched, design decisions. -->
 
-## Tested
+## Test plan
 
-<!-- How you tested. If you didn't, say so and tell me why -->
+<!-- How did you verify? Which commands, which test suites? -->
 
-## Checklist
+- [ ] Existing tests pass
+- [ ] Added tests for new behaviour
+- [ ] Manually verified in dev / staging
+
+## Risk & rollout
 
-- [ ] I have read [`CONTRIBUTING.md`](./CONTRIBUTING.md)
-- [ ] Tests pass locally (and CI is green)
-- [ ] I didn't add any new linter / typecheck warnings
-- [ ] I didn't commit any secrets, build output, or large binaries
-- [ ] I added a `CHANGELOG.md` entry under "Unreleased" if it matters
+<!-- What can break? Is rollback straightforward? Is there a feature flag? -->
+
+## Checklist
 
-## Screenshots / Logs
+- [ ] My branch is up-to-date with the base branch
+- [ ] I ran `gitleaks` locally (or let CI do it)
+- [ ] I added / updated tests for new behaviour
+- [ ] I updated documentation (README, CHANGELOG, …)
+- [ ] I did **not** commit any secrets, tokens, or credentials
+- [ ] My commit messages follow [Conventional Commits](https://www.conventionalcommits.org/)
 
-<!-- Drag in images for UI changes. Paste (redacted) logs for runtime changes. -->
+> **Never commit secrets.** If you accidentally committed a token,
+> rotate it **immediately** in the provider's settings, then update
+> the PR to remove the secret. See [SECURITY.md](./SECURITY.md).