Add contributor and security intake docs

[punk6529]

Summary

This Gate A / Gate G foundation PR adds the repository intake and review-routing layer needed before deeper roadmap work continues.

• Adds SECURITY.md with pre-audit status, private vulnerability reporting guidance, scope, safe harbor, and security-sensitive roadmap areas.
• Adds CONTRIBUTING.md with local setup, smoke checks, PR expectations, bot-review expectations, issue quality rules, and documentation expectations.
• Adds GitHub issue forms for non-security bugs and roadmap items, plus issue-template config that routes security reports away from public issues.
• Adds a PR template with roadmap, maturity, validation, review-routing, and impact sections.
• Adds CODEOWNERS with current maintainer routing and a .gitattributes rule to keep it LF-normalized.
• Hardens CI review plumbing with read-only token permissions, PR-scoped concurrency cancellation, job timeout, whitespace checks, per-script Bash syntax checks, and full PowerShell parser checks.
• Links the new docs from the README and records the PR state in ops/AUTONOMOUS_RUN.md.

Important Limitations

• This PR does not implement contract, test, deployment, or audit work.
• make check still proves compilation and test-command execution only; the repo still has no meaningful protocol tests.
• CODEOWNERS uses the current visible maintainer handle until dedicated GitHub teams are formalized.

Validation

• git diff --check origin/main...HEAD passed locally; CI now checks the actual PR/push diff instead of the clean checkout.
• GitHub issue forms and CI workflow parsed as YAML.
• Touched docs/templates/workflow files contain no tabs or non-ASCII characters.
• Each Bash script was checked individually with bash -n: scripts/check.sh and scripts/bootstrap-ec2.sh.
• PowerShell parser checks passed for scripts\check.ps1 and scripts\bootstrap-windows.ps1 using System.Management.Automation.Language.Parser.ParseFile.
• Workflow action pin check passed; all uses: references remain pinned to 40-character SHAs.
• make check passed with the known existing compiler/NatSpec warnings and empty-test baseline.
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 passed with the known existing warnings and empty-test baseline.
• GitHub CI run 27243970322 passed on merge-candidate head 20b147e8e0b25bf444bc94e6b926d8ea8035cbd3.

Roadmap

This advances Queue Item 3 from ops/AUTONOMOUS_RUN.md: repo maturity and contributor docs.

Summary by CodeRabbit

• Documentation

  • Added a comprehensive contribution guide, security policy, status/ops updates, and README link updates.
  • Added structured issue and pull request templates to standardize submissions.

• Governance

  • Configured repository code ownership defaults.

• CI/Tests

  • Enhanced CI with concurrency, timeouts, and script syntax/hygiene checks.

• Chores

  • Enforced consistent LF line endings for repository metadata.

[punk6529]

@claude please review this PR for open-source repository maturity and review-routing quality. Please focus on whether SECURITY.md, CONTRIBUTING.md, GitHub issue forms, the PR template, CODEOWNERS, and the small CI hygiene additions are appropriate for a pre-audit NFT smart-contract repo. Also check whether the workflow changes remain safe with pinned actions and whether the public vulnerability-reporting guidance avoids leaking exploit details.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a26b0e60-2045-43c1-8f0a-39ed5598b02a

📥 Commits

Reviewing files that changed from the base of the PR and between 5b23c63 and 20b147e.

📒 Files selected for processing (1)

• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (1)

• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

This PR establishes repository maturity infrastructure by adding CODEOWNERS and .gitattributes, structured GitHub issue/PR templates, CI hygiene and syntax checks, CONTRIBUTING and SECURITY documents, README/status updates, and ops/AUTONOMOUS_RUN.md state/worklog updates.

Changes

Repo Maturity and Contributor Docs

Layer / File(s)	Summary
Repository ownership and file attributes .gitattributes, .github/CODEOWNERS	Adds .github/CODEOWNERS with a default owner and explicit path mappings; enforces LF line endings for the CODEOWNERS file.
GitHub issue and PR templates .github/ISSUE_TEMPLATE/config.yml, .github/ISSUE_TEMPLATE/bug_report.yml, .github/ISSUE_TEMPLATE/roadmap_item.yml, .github/PULL_REQUEST_TEMPLATE.md	Adds structured issue forms (bug report, roadmap), disables blank issues, includes contact links for private security reporting and roadmap, and provides a PR template with validation and routing checklists.
CI workflow enhancements and script validation .github/workflows/ci.yml	Sets workflow-level permissions to read-only repo contents, adds concurrency cancellation, sets Foundry job timeout and full fetch-depth, and introduces repository-hygiene (git diff --check, bash -n) and PowerShell syntax validation steps.
Contributor and security documentation CONTRIBUTING.md, SECURITY.md, README.md, docs/status.md	Adds CONTRIBUTING.md and SECURITY.md, updates README Important Docs links, and records governance/intake files in docs/status.md.
Autonomous run state and PR tracking ops/AUTONOMOUS_RUN.md	Updates active PR branch, last-merged PR, advances PR queue statuses, records PR #4 outcome, and adds a detailed PR #5 worklog and decision-log entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• 6529-Collections/6529Stream#3: Introduces and modifies ops/AUTONOMOUS_RUN.md control-plane state referenced by these updates.

Poem

🐰 I nibble docs and plant a flag,
Templates, CI, and ownership tag.
CONTRIBUTING, SECURITY—set and neat,
Governance hops in, tidy and sweet.
A small soft paw on maturity's path.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding contributor and security intake documentation files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/ci-review-hardening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@claude pushed 5b23c633e8aaef3a894a4e8b1ada3595f39c039a addressing your PR #5 CI hygiene review.

Fixes included:

• Scoped workflow cancellation so only pull request runs cancel in progress; pushes to main keep their artifacts.
• Made repository hygiene validate the PR/push diff instead of the already-clean checkout.
• Parsed each Bash script individually with bash -n.
• Switched PowerShell validation to System.Management.Automation.Language.Parser.ParseFile so parse errors are surfaced reliably.

Local validation passed:

• workflow YAML parse
• pinned workflow action check
• git diff --check origin/main...HEAD
• per-script bash -n checks
• PowerShell parser checks
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Please re-review when ready.

[punk6529]

@claude final merge-candidate head is now 20b147e8e0b25bf444bc94e6b926d8ea8035cbd3.

The only change after your resolved workflow review was a state-only update to ops/AUTONOMOUS_RUN.md recording that CI passed, CodeRabbit had no actionable comments, and your review threads were resolved on the prior head. I will wait for CI and CodeRabbit on this final head before merging.

[claude]

🟡 The acceptance textarea in .github/ISSUE_TEMPLATE/roadmap_item.yml sets render: markdown, which per GitHub's issue-forms spec wraps the submitted content in a fenced ```markdown code block — so any - [ ] task-list syntax users type for "Machine-verifiable criteria" renders as literal text rather than as interactive checkboxes. This is the only textarea in the file with a `render:` attribute (all other textareas correctly omit it for free-form markdown). Fix: delete the `render: markdown` line on line 112 so reviewers can actually tick off the criteria.

Extended reasoning...

What the bug is

.github/ISSUE_TEMPLATE/roadmap_item.yml line 112 sets render: markdown on the acceptance textarea. Per GitHub's form-schema docs: "If a render value is included, the contents of the field will be rendered as a code block in the resulting issue." The value names the syntax highlighter — it does not mean "render this as markdown." It means "wrap the submitted text in a fenced code block, tagged markdown for highlighting."

Why this matters here

The field is labeled Acceptance criteria with the description "Machine-verifiable criteria and review evidence required before merge." The natural shape for that — and the shape every other roadmap-tracking repo uses — is a GitHub task list:

- [ ] forge test passes
- [ ] ADR linked
- [ ] Slither baseline updated

GitHub task-list checkboxes only become interactive when the markdown is not inside a code fence. With render: markdown set, every - [ ] lands inside markdown ... and renders as literal text, so reviewers cannot click them off. That directly contradicts the "machine-verifiable / review evidence" framing of the field.

Why I'm confident this isn't intentional

This is the only textarea in the file that sets a render: attribute. All eight other textareas — problem, current_behavior, intended_behavior, likely_files, code_changes, tests, docs, non_goals, dependencies — correctly omit render: so users get a free-form markdown textarea where lists, links, and task lists render normally. The asymmetry is the tell: the author likely read render: markdown as "render the user's markdown" rather than "wrap the user's markdown in a code fence with markdown syntax highlighting."

For contrast, bug_report.yml in the same PR correctly uses render: text on reproduction and validation — those should be wrapped in a code block (command output, repro steps), so the attribute is doing exactly what it advertises there.

Step-by-step proof

1. User opens the roadmap issue form on github.com and fills the Acceptance criteria field with:

   - [ ] All tests pass
   - [ ] ADR linked
   

2. User clicks Submit. GitHub's form-schema processor sees render: markdown and wraps the submitted text in fences:

   ```markdown
   - [ ] All tests pass
   - [ ] ADR linked
   

3. GitHub renders the issue body. The fenced block is shown as syntax-highlighted source, not parsed as markdown. The - [ ] sequences appear as literal characters with no checkbox.
4. Reviewers cannot tick the boxes from the issue page. The "machine-verifiable" framing collapses into a static text dump.

Verify locally without rendering: any GitHub repo with an issue form is enough — the rendered preview at https://github.com/<org>/<repo>/issues/new?template=... shows the difference between a textarea with and without render:.

Fix

Drop a single line:

   - type: textarea
     id: acceptance
     attributes:
       label: Acceptance criteria
       description: Machine-verifiable criteria and review evidence required before merge.
-      render: markdown
     validations:
       required: true

The result is a normal markdown textarea where - [ ] renders as a clickable checkbox, links resolve, headings work — i.e., the obvious intent for an "Acceptance criteria" field.