docs(ospo): community health rollout v2 — README, agents.md, health files

[dj4oC]

Summary

This PR is part of the Kiteworks OSPO community health rollout (kiteworks.com/opensource), applied to all ~110 public ownCloud repositories starting May 5, 2026.

• README.md: Rewritten with v2 OSPO template
  • License-specific OSPO section with Apache 2.0 migration guidance
  • Mandatory Community & Support section: GitHub Discussions, Matrix, docs, enterprise support, OSPO home
  • Contributing workflow: Rebase Early/Often, Dependabot, PGP/GPG-signed commits, DCO sign-off, GitHub Actions policy
  • Security section pointing to security.owncloud.com + YesWeHack bug bounty
  • Translations link to Transifex (owncloud project)
• agents.md (new): AI agent context file with architecture, build commands, OSPO policy constraints
• CODE_OF_CONDUCT.md (new): Redirect to https://owncloud.com/contribute/code-of-conduct/
• CONTRIBUTING.md (new): Redirect to https://owncloud.com/contribute/
• SECURITY.md (new): Redirect to https://security.owncloud.com + YesWeHack
• SUPPORT.md (new): Redirect to https://owncloud.com/contact-us/ and support channels

Test plan

• README renders correctly on GitHub (badges, sections, links)
• All health file links resolve (CODE_OF_CONDUCT, CONTRIBUTING, SECURITY, SUPPORT)
• agents.md loads correctly in Claude Code and GitHub Copilot
• License referenced in README matches actual LICENSE file in repo

---

🤖 Generated with Claude Code as part of the ownCloud OSPO rollout.
Kiteworks OSPO: https://kiteworks.com/opensource

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This PR is part of the Kiteworks OSPO community health rollout. It rewrites README.md with the v2 OSPO template and adds five community health files (agents.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, SUPPORT.md). The changes are documentation-only and well structured. Overall this is a solid, useful improvement: the new README is clearer than the old one, the build instructions are accurate, and the relative doc links resolve correctly.

I verified the claims against the actual repository contents. Most check out, but a few items below need attention before merge.

Code quality / style

• README structure, badges, and section ordering render correctly as GitHub Markdown.
• Build instructions are accurate: npm install, npm run antora-local, and npm run serve all exist in package.json, and antora-local does target http://localhost:8080 as stated.
• Relative documentation links resolve: ./docs/the-branching-workflow.md and ./docs/new-version-branch.md both exist.
• agents.md build/test commands are correct: npm run antora (build) and npm run linkcheck (test) both exist. Prettier config (.prettierrc) is present as claimed, and .github/dependabot.yml exists, so the Dependabot references are valid.
• The conditionally-worded, audit-aware license language ("Current license: Not detected", "reflects its current license status") is a sensible way to handle a templated rollout.

Specific suggestions

1. GitHub Discussions is not enabled on this repo. Both the README ("Community Discussions" → https://github.com/orgs/owncloud/discussions) and SUPPORT.md ("Community discussions") link to org-level Discussions. The repo has has_discussions: false. The org-level link may still work if Discussions exist elsewhere in the org, but please confirm the org Discussions tab is actually populated/enabled — otherwise this is a dead-end link for users seeking support.

2. README "License" section links to a nonexistent LICENSE file. The License section says See [LICENSE](LICENSE) for license details. and the badge also points to LICENSE, but there is no LICENSE file in this repository. This produces a broken link / 404 badge target. The "About the OSPO" section already acknowledges "Current license: Not detected", so the explicit [LICENSE](LICENSE) link and badge are inconsistent with that and with the repo reality. Suggest either adding a LICENSE file or softening the License section to not link to a missing file.

3. agents.md "Primary language(s): JavaScript" is misleading. This is a documentation component — the substantive content is AsciiDoc under modules/, with JavaScript only in the Antora/AsciiDoc extension helpers (ext-antora/, ext-asciidoc/, lib/). Calling the primary language JavaScript may misdirect an AI agent. Consider "AsciiDoc (content); JavaScript (Antora extensions)".

4. agents.md Lint command and grammar nits:

   • "Lint: Not detected (Prettier config present for formatting)" — Prettier is present, so this is slightly self-contradictory; consider listing npx prettier as the formatter.
   • Typo: "compatible with the the license specified in the repository license" — duplicated/garbled wording ("the the … license").

5. Doc-accuracy nit in README "Getting Started": the serve script serves the public/ directory, which is produced by the full antora/antora-local build. The three-command sequence is correct, but a one-line note that serve hosts the generated public/ output would help newcomers.

Potential issues / risks

• Broken link risk (medium): the LICENSE link/badge with no LICENSE file is the most concrete issue — it will 404. Worth fixing since one of the PR's own test-plan items is "License referenced in README matches actual LICENSE file in repo," which currently fails (no LICENSE file exists).
• Discussions link (low-medium): verify org Discussions are live before relying on them as the primary community channel.
• Metadata accuracy (low): the "Primary language: JavaScript" classification in agents.md.
• No security, secret, or config-correctness concerns — all external URLs (security.owncloud.com, YesWeHack, Matrix, Transifex, owncloud.dev) are plausible and consistently used across files. The redirect-style health files are minimal and correct.

Nice work overall — the substance is good and well-verified against the repo. Addressing the LICENSE link inconsistency and the agents.md language/typo items would tighten it up.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

This is a re-review at the current head (4e3e2c0) after new commits were pushed. Focus is on the current state, with attention to issues flagged in the prior review.

Overview

The PR applies the v2 OSPO community-health template: a rewritten README.md plus new agents.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, and SUPPORT.md. The rewrite is well-structured and the new product description (Antora/AsciiDoc component for oCIS docs) is accurate. The redirect-style health files are clean and consistent. Most internal doc links (./docs/the-branching-workflow.md, ./docs/new-version-branch.md) resolve correctly.

Code quality / style

• README structure, badges, and section layout render well and read clearly.
• Health files (CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, SUPPORT.md) are consistent and point to valid external URLs.
• Mixed link styles in SUPPORT.md (bare https://github.com/orgs/owncloud/discussions vs. <...> autolinks elsewhere) — minor cosmetic inconsistency.

Specific suggestions

1. Add a LICENSE file or stop linking to one (see risks). Given package.json declares "license": "AGPL-3.0", committing a matching LICENSE file would fix the broken link and the license-detection contradiction in one step.
2. Fix the contradicting license statements. README "Current license: Not detected" is incorrect — the license is declared in package.json on this same branch.
3. agents.md typo (carried over, not fixed): "All code contributions must be compatible with the the license specified in the repository license" — duplicated "the" and a redundant trailing "license".
4. agents.md "Primary language(s): JavaScript" remains misleading. GitHub linguist does report JavaScript as the top language (AsciiDoc isn't counted as a programming language), so it is defensible by raw stats — but for a repo whose own agents.md lists "Product family: Documentation" and whose substance is AsciiDoc content under modules/, listing JavaScript as the primary language misleads an AI agent about the repo's purpose. Consider "AsciiDoc (docs content); JavaScript (Antora extensions/tooling)".

Potential issues / risks

• Broken LICENSE link — NOT fixed (test-plan item 4 still fails). Verified via the GitHub API that no LICENSE file exists on the PR head branch (ospo/community-health-v2, HTTP 404) nor on master. The README links to it in three places: the License badge ](LICENSE), the ## License section [LICENSE](LICENSE), and agents.md. These are broken links and will fail the PR's own test-plan checkbox ("License referenced in README matches actual LICENSE file in repo") and likely the broken-link-checker CI step.
• License contradiction. README says the current license is "Not detected", but package.json on this branch declares "license": "AGPL-3.0". The two should be reconciled; "Not detected" is factually wrong here.
• AGPL vs. copyleft-dependency guidance. agents.md advises against introducing "new copyleft-licensed dependencies (GPL, AGPL, LGPL, MPL)", yet the repository itself is AGPL-3.0. As written this reads oddly for an AGPL project; clarify the intent (presumably about target Apache-2.0 migration, not the current state).
• Org GitHub Discussions — appears resolved. The previously flagged concern (org Discussions not enabled) no longer reproduces: https://github.com/orgs/owncloud/discussions resolves (HTTP 200) and the org profile exposes a Discussions nav link. The README/SUPPORT links to org-level discussions are therefore valid. (Note: repo-level has_discussions is false, which is fine since the links target the org, not this repo.)

Re-check summary of prior issues

• README → nonexistent LICENSE (broken link): still broken — not fixed.
• Org GitHub Discussions not enabled: resolved (org discussions now live).
• agents.md "primary language: JavaScript" misleading + duplicated-word typo: still present — not fixed (typo "the the" remains; language line unchanged).

Overall: the structural rewrite is solid, but the LICENSE link / license-detection issue is a real, CI-relevant defect and should be addressed before merge.