Add community health files to meet GitHub Community Standards

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,61 @@
+name: 🐞 Bug report
+description: Report something that isn't working as expected
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug! Please fill out the sections
+        below so we can reproduce and fix it quickly.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear and concise description of the bug.
+      placeholder: When I spin the roulette in demo mode, ...
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: How can we reproduce the problem?
+      placeholder: |
+        1. Go to '...'
+        2. Click on '...'
+        3. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen instead?
+    validations:
+      required: true
+  - type: dropdown
+    id: mode
+    attributes:
+      label: Which mode?
+      description: Were you in demo mode or real mode (signed in with a token)?
+      options:
+        - Demo mode (?demo=1)
+        - Real mode (signed in)
+        - Not sure / both
+    validations:
+      required: true
+  - type: input
+    id: environment
+    attributes:
+      label: Environment
+      description: Browser, OS, and whether it was local (`npm run dev`) or deployed.
+      placeholder: Chrome 124 on macOS, deployed on Vercel
+    validations:
+      required: false
+  - type: textarea
+    id: extra
+    attributes:
+      label: Anything else?
+      description: Screenshots, console errors, or other context. Do NOT paste your daily.dev API token.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: 🔒 Report a security vulnerability
+    url: https://github.com/finallyjay/daily-dev-roulette/security/advisories/new
+    about: Please report security issues privately, not as public issues. See SECURITY.md.
+  - name: 💬 Questions & ideas
+    url: https://github.com/finallyjay/daily-dev-roulette/discussions
+    about: Ask questions or discuss ideas in Discussions (if enabled).

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,32 @@
+name: 💡 Feature request / new roulette mode
+description: Suggest an improvement or a new roulette mode
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Got an idea for a new roulette mode or an improvement? Tell us about it!
+        daily.dev's Public API exposes feeds, follows, and tech stack — all
+        candidates for future modes.
+  - type: textarea
+    id: problem
+    attributes:
+      label: What's the idea?
+      description: Describe the feature or roulette mode you'd like to see.
+      placeholder: A "Feeds Roulette" that ...
+    validations:
+      required: true
+  - type: textarea
+    id: motivation
+    attributes:
+      label: Why is it useful?
+      description: What problem does it solve, or what makes it fun?
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any other approaches you thought about?
+    validations:
+      required: false

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,37 @@
+<!--
+Thanks for contributing to daily.dev Roulette! 🎲
+Please fill out the sections below. Keep PRs focused on one logical change.
+-->
+
+## What does this PR do?
+
+<!-- A clear description of the change. -->
+
+## Related issue
+
+<!-- e.g. "Closes #12". Open an issue first for anything non-trivial. -->
+
+Closes #
+
+## Type of change
+
+- [ ] 🐞 Bug fix
+- [ ] ✨ New feature / new roulette mode
+- [ ] 🧹 Refactor / cleanup
+- [ ] 📝 Docs
+- [ ] Other:
+
+## How was this tested?
+
+- [ ] `npm run build` succeeds
+- [ ] Tested manually in **demo mode** (`/roulette?demo=1`)
+- [ ] Tested manually in **real mode** (signed in with a token) — if applicable
+
+<!-- Describe what you exercised and any screenshots. -->
+
+## Checklist
+
+- [ ] My change follows the existing code style and stays focused.
+- [ ] I did not log, expose, or commit any daily.dev API token or secret.
+- [ ] Token handling (if touched) stays server-side in `src/lib/` / `src/pages/api/`.
+- [ ] I updated docs (README/CONTRIBUTING) if behavior or setup changed.

CODE_OF_CONDUCT.md

@@ -0,0 +1,62 @@
+# Code of Conduct
+
+## Our pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Demonstrating empathy and kindness toward other people.
+- Being respectful of differing opinions, viewpoints, and experiences.
+- Giving and gracefully accepting constructive feedback.
+- Accepting responsibility, apologizing to those affected by our mistakes, and
+  learning from the experience.
+- Focusing on what is best not just for us as individuals, but for the overall
+  community.
+
+Examples of unacceptable behavior include harassment of any kind, trolling or
+insulting comments, personal or political attacks, publishing others' private
+information without permission, and any other conduct which could reasonably be
+considered inappropriate in a professional setting.
+
+## Enforcement responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+**finallyjay@gmail.com**. All complaints will be reviewed and investigated
+promptly and fairly. Community leaders are obligated to respect the privacy and
+security of the reporter of any incident.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.
+
+[homepage]: https://www.contributor-covenant.org

CONTRIBUTING.md

@@ -0,0 +1,71 @@
+# Contributing to daily.dev Roulette
+
+Thanks for your interest in contributing! This project started as a daily.dev
+hackathon hack, and it's built to grow — the long-term idea is a hub of
+"roulette" modes, so new modes and improvements are very welcome.
+
+## Code of Conduct
+
+This project follows the [Contributor Covenant](./CODE_OF_CONDUCT.md). By
+participating, you're expected to uphold it. Report unacceptable behavior to
+**finallyjay@gmail.com**.
+
+## Getting started
+
+```bash
+git clone https://github.com/finallyjay/daily-dev-roulette.git
+cd daily-dev-roulette
+npm install
+npm run dev      # http://localhost:4321
+```
+
+No environment variables are required — **demo mode** (`/roulette?demo=1`) runs
+entirely in the browser on a fake bookmark pile, so you can develop without a
+daily.dev Plus account or token.
+
+Optionally, copy `.env.example` to `.env` and set `DAILY_TOKEN` to power the
+"Try the demo" button with a real token (see the file for details).
+
+## Project layout
+
+See the **Architecture** section of the [README](./README.md) for a file-by-file
+map. In short:
+
+- `src/pages/` — routes (hub, roulette, and the `api/` server proxy)
+- `src/lib/` — server-only daily.dev client, session/auth, and demo data
+- `src/layouts/` — shared shell
+
+## Making a change
+
+1. **Open an issue first** for anything non-trivial, so we can agree on the
+   approach before you invest time.
+2. Create a branch off `main`: `git checkout -b my-feature`.
+3. Keep changes focused — one logical change per pull request.
+4. Match the existing style: TypeScript, Astro components, and the current
+   formatting/naming conventions. No formatter config is enforced yet, so just
+   keep diffs clean and consistent with surrounding code.
+5. **Test your change manually**: run `npm run dev` and exercise both demo mode
+   and (if you have Plus) real mode. Run `npm run build` to confirm the
+   production build passes.
+
+## Security
+
+The daily.dev token is sensitive. Never log it, never expose it to client JS,
+and keep all token handling inside the server-side `src/lib/` and `src/pages/api/`
+code. If you find a vulnerability, please follow [SECURITY.md](./SECURITY.md)
+instead of opening a public issue.
+
+## Pull requests
+
+- Fill out the pull request template.
+- Reference the issue your PR addresses (e.g. "Closes #12").
+- Make sure `npm run build` succeeds.
+- Be patient and kind in review — this is a small, friendly project.
+
+## Ideas for new roulette modes
+
+daily.dev's Public API exposes more than bookmarks (feeds, follows, tech stack).
+Those are great candidates for future roulette modes — see the **API notes** in
+the README and `spike/spike.mjs` for a standalone API probe.
+
+Thanks for helping put daily.dev habits on the line, one spin at a time. 🎲

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Jay (finallyjay)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

SECURITY.md

@@ -0,0 +1,44 @@
+# Security Policy
+
+## Supported versions
+
+This is a small hackathon project under active, informal development. Only the
+latest `main` branch is supported — security fixes land there.
+
+| Version | Supported |
+| ------- | --------- |
+| `main`  | ✅        |
+| older   | ❌        |
+
+## Reporting a vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, report them privately so they can be fixed before disclosure:
+
+- Preferred: open a [private security advisory](https://github.com/finallyjay/daily-dev-roulette/security/advisories/new)
+  on GitHub, **or**
+- Email **finallyjay@gmail.com** with the details.
+
+Please include:
+
+- A description of the vulnerability and its impact.
+- Steps to reproduce (a proof of concept if possible).
+- Any suggested remediation.
+
+You can expect an initial acknowledgement within a few days. Once the issue is
+confirmed and fixed, we're happy to credit you in the release notes unless you
+prefer to stay anonymous.
+
+## Scope and sensitive data
+
+The most sensitive asset in this app is the **daily.dev API token**:
+
+- The token is validated server-side and stored in an **httpOnly cookie**, so it
+  is never exposed to client-side JavaScript.
+- All daily.dev API calls are proxied through Astro server routes
+  (`src/pages/api/`), so the token never reaches the browser and there are no
+  CORS workarounds.
+
+Reports about token leakage, session handling, the server-side proxy, or any way
+to exfiltrate the token are especially appreciated.

package.json

@@ -3,6 +3,7 @@
   "type": "module",
   "version": "0.1.0",
   "private": true,
+  "license": "MIT",
   "scripts": {
     "dev": "astro dev",
     "build": "astro build",