chore: centralize org contribution and security templates

miccy · miccy · commit 4af1c0080815 · 2026-02-23T14:30:57.000+01:00
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,73 +1,49 @@
 # Contributing to SQLoot
 
-Thank you for your interest in contributing! This document provides guidelines for contributing to SQLoot projects.
+Thanks for contributing.
 
-## Getting Started
+## Workflow
 
-1. Fork the repository
-2. Clone your fork
-3. Create a feature branch: `git checkout -b feat/your-feature`
-4. Make your changes
-5. Submit a pull request
+1. Create a feature branch from `main`
+2. Implement focused, reviewable changes
+3. Run local checks
+4. Open a PR and request review
 
-## Development Setup
+## Local Checks
 
-### Prerequisites
-
-- [Bun](https://bun.sh) (latest)
-- Git
-
-### Install dependencies
+Use the repository's standard verification command (typically one of):
 
 ```bash
-bun install
+bun verify
+bun run verify
 ```
 
-### Run quality checks
+If the repository includes Rust code, also run:
 
 ```bash
-bun run check
+cargo fmt --all
+cargo test
 ```
 
-## Code Style
-
-We use **Biome** for linting and formatting. Configuration is in `biome.json`.
+## Engineering Standards
 
-```bash
-# Format code
-bun run format
-
-# Lint code
-bun run lint
-```
+- Prefer Bun tooling over npm/pnpm
+- Prefer Biome for formatting/linting where configured
+- Keep TypeScript strict and avoid `any` unless justified
+- Add/update tests for behavior changes
+- Update docs when behavior or public API changes
 
-## Commit Messages
+## Pull Requests
 
-Use clear, descriptive commit messages:
+- Keep PR scope small and explicit
+- Link related issue(s)
+- Document any breaking change
+- Resolve all review comments before merge
 
-- `feat: add user authentication`
-- `fix: resolve memory leak in sync`
-- `docs: update API documentation`
-- `refactor: simplify data layer`
+## Security
 
-## Pull Request Process
-
-1. Ensure all checks pass
-2. Update documentation if needed
-3. Request review from maintainers
-4. Address feedback
+For vulnerabilities, do not use public issues. Follow `SECURITY.md`.
 
 ## Code of Conduct
 
-Please read our [Code of Conduct](CODE_OF_CONDUCT.md).
-
-## Questions?
-
-Open a discussion or reach out via issues.
-
----
-
-<div align="center">
-  <a href="https://github.com/enterprises/ownCTRL"><img src="https://img.shields.io/badge/©️_2026-ownCTRL™-333?style=flat&labelColor=ddd" alt="© 2026 ownCTRL™"/></a>
-  <a href="https://github.com/miccy"><img src="https://img.shields.io/badge/⚙️_Maintained_with_🩶_by-%40miccy-333?style=flat&labelColor=ddd" alt="Maintained by @miccy"/></a>
-</div>
+See `CODE_OF_CONDUCT.md`.
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
@@ -1,22 +1,27 @@
-## Description
+## Summary
 
-<!-- Brief description of changes -->
+<!-- What changed and why -->
 
-## Type of Change
+## Scope
 
 - [ ] Bug fix
-- [ ] New feature
+- [ ] Feature
+- [ ] Refactor
+- [ ] Docs
+- [ ] CI/Tooling
 - [ ] Breaking change
-- [ ] Documentation update
-- [ ] Refactoring
 
-## Checklist
+## Verification
 
-- [ ] Code follows project style guidelines
-- [ ] Tests pass locally (`bun run check`)
-- [ ] Documentation updated (if applicable)
-- [ ] No secrets or sensitive data included
+- [ ] I ran the repository verification command successfully (`bun verify` or repo equivalent)
+- [ ] I added/updated tests where needed
+- [ ] I updated docs where needed
 
-## Related Issues
+## Governance
 
-<!-- Link any related issues: Fixes #123 -->
+- [ ] No secrets or credentials introduced
+- [ ] CODEOWNERS-relevant changes requested proper reviewers
+
+## Linked Issues
+
+<!-- Fixes #123 -->
diff --git a/SECURITY.md b/SECURITY.md
@@ -2,58 +2,46 @@
 
 ## Reporting a Vulnerability
 
-We take security seriously. If you discover a security vulnerability, please report it responsibly.
+Please report security vulnerabilities privately.
 
-### How to Report
+1. Do **not** open a public issue.
+2. Use GitHub Private Vulnerability Reporting in the affected repository (`Security` tab).
+3. If needed, contact us at **security@sqloot.dev**.
 
-1. **DO NOT** create a public GitHub issue
-2. **Preferred**: Use [GitHub's private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) on the affected repository's Security tab
-3. **Alternative**: Email: security@sqloot.dev
-4. Include:
-   - Description of the vulnerability
-   - Steps to reproduce
-   - Potential impact
-   - Any suggested fixes (optional)
+Please include:
+- Affected repository/package and version/commit
+- Reproduction steps or PoC
+- Impact assessment
+- Suggested mitigation (optional)
 
-### What to Expect
+## Response Targets
 
-- **Acknowledgment**: Within 48 hours
-- **Initial assessment**: Within 7 days
-- **Resolution timeline**: Depends on severity (critical: ASAP, high: 30 days, medium: 90 days)
+- Acknowledgement: within 48 hours
+- Initial triage: within 7 days
+- Fix timeline:
+  - Critical: as soon as possible
+  - High: target within 30 days
+  - Medium: target within 90 days
 
-### Scope
+## Scope
 
-This policy applies to all SQLoot repositories.
-
-### Recognition
-
-We appreciate responsible disclosure and will acknowledge security researchers in our release notes (unless you prefer to remain anonymous).
+This policy applies to all repositories under the SQLoot organization.
 
 ## Supported Versions
 
-| Version  | Supported               |
-| -------- | ----------------------- |
-| Latest   | ✅                       |
-| < Latest | ❌ (upgrade recommended) |
-
-## Security Best Practices
+| Version line | Supported |
+| --- | --- |
+| Current main/default branch | ✅ |
+| Older versions | ❌ |
 
-When contributing to SQLoot projects:
+## Contributor Security Requirements
 
-- Never commit secrets, API keys, or credentials
-- Use environment variables for sensitive data
-- Keep dependencies up to date
-- Follow secure coding practices
+- Never commit secrets or credentials
+- Minimize sensitive logging
+- Keep dependencies updated
+- Use least-privilege tokens and permissions
 - Enable 2FA on your GitHub account
 
-## Security.txt
-
-For automated security tools, we follow [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116.html).
-See `/.well-known/security.txt` in production deployments.
-
----
+## Coordinated Disclosure
 
-<div align="center">
-  <a href="https://github.com/enterprises/ownCTRL"><img src="https://img.shields.io/badge/©️_2026-ownCTRL™-333?style=flat&labelColor=ddd" alt="© 2026 ownCTRL™"/></a>
-  <a href="https://github.com/miccy"><img src="https://img.shields.io/badge/⚙️_Maintained_with_🩶_by-%40miccy-333?style=flat&labelColor=ddd" alt="Maintained by @miccy"/></a>
-</div>
+We appreciate responsible disclosure and can credit reporters in release notes, unless anonymity is requested.
