chore: release v0.9.2

- formalize the repo with MIT, SECURITY, and CONTRIBUTING docs
- rewrite README and fix installer module drift
- ship auth token forwarding and safer credential overlays

Author: lroolle

CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to Claude Code YOLO will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.2] - 2026-03-11
+
+### Added
+- `LICENSE` with the standard MIT license text
+- `SECURITY.md` with private vulnerability reporting guidance
+- `CONTRIBUTING.md` with the repo workflow, local checks, and release rules
+
+### Fixed
+- Claude `--auth-with api-key` now forwards `ANTHROPIC_AUTH_TOKEN` and `ANTHROPIC_BASE_URL`
+- Non-default auth no longer moves live host credential files out of the way; it overlays the default credential path with a safe placeholder instead
+- `--dry-run` no longer mutates config homes through autolink or scaffold writes
+- Config-home fan-out skips loose credential files, backup files, VCS junk, and `.DS_Store`
+- `install.sh` now installs the full current agent set, including Gemini and `shared_auth.sh`
+
+### Changed
+- Rewrote `README.md` into a cleaner OSS landing page with badges, quick start, auth matrix, and security warnings
+- Updated `workflows/RELEASE.md` to use `deva.sh` as the source of truth for version bumps
+
 ## [0.9.1] - 2026-01-09
 
 ### Fixed

CONTRIBUTING.md

@@ -0,0 +1,71 @@
+# Contributing
+
+Thanks. Keep it tight.
+
+## Before You Send Anything
+
+- open or find the issue first
+- keep one branch per issue
+- read the workflow docs in `workflows/`
+
+Use these, not your imagination:
+
+- `workflows/GITHUB-ISSUE.md`
+- `workflows/GITHUB-PR.md`
+- `workflows/GIT-COMMIT.md`
+- `workflows/RELEASE.md`
+
+## Local Checks
+
+Run the obvious stuff before you ask anyone else to look:
+
+```bash
+./deva.sh --help
+./deva.sh --version
+./claude-yolo --help
+./scripts/version-check.sh
+shellcheck deva.sh agents/*.sh docker-entrypoint.sh install.sh scripts/*.sh
+```
+
+If you change Docker image behavior, auth flows, or release logic, test those paths directly. Do not ship "should work".
+
+## What We Want
+
+- small, focused changes
+- direct docs
+- boring shell scripts that still work tomorrow
+- explicit auth and mount behavior
+- no surprise regressions
+
+## What We Do Not Want
+
+- prompt-engineering fluff in docs
+- magical wrappers around simple shell code
+- untested auth changes
+- random formatting churn
+- force-push chaos on shared branches
+
+## Docs Rules
+
+Update docs when behavior changes:
+
+- `README.md` for user-facing workflow
+- `CHANGELOG.md` for release notes
+- `DEV-LOGS.md` for significant work
+- `SECURITY.md` when the reporting path or threat model changes
+
+## Pull Requests
+
+A good PR does three things:
+
+1. says what changed
+2. says why it changed
+3. says how you tested it
+
+If it touches auth, container boundaries, or release mechanics, include the exact command you ran.
+
+## Releases
+
+Do not freestyle releases.
+
+Follow `workflows/RELEASE.md`. Update version, changelog, and docs together, then tag the release. If the tree is dirty and you do not understand why, stop.

DEV-LOGS.md

@@ -13,6 +13,17 @@
 - Minimal markdown markers, no unnecessary formatting, minimal emojis.
 - Reference issue numbers in the format `#<issue-number>` for easy linking.
 
+# [2026-03-11] Dev Log: OSS repo polish and auth mount cleanup
+- Why: the repo still looked half-finished in public, the installer lagged behind the actual agent set, and recent auth switching work exposed ugly mount behavior
+- What:
+  - added `LICENSE`, `SECURITY.md`, and `CONTRIBUTING.md`
+  - rewrote `README.md` into a cleaner OSS landing page with badges, quick start, auth, config-home, and security sections
+  - fixed `install.sh` to install `gemini.sh` and `shared_auth.sh`, and cleaned the installer output
+  - fixed Claude `--auth-with api-key` to pass `ANTHROPIC_AUTH_TOKEN` and `ANTHROPIC_BASE_URL`
+  - replaced credential backup/restore with auth-file overlay mounts, filtered junk from config-home fan-out, and stopped `--dry-run` from writing files
+  - fixed `workflows/RELEASE.md` to use `deva.sh` as the version source
+- Result: the repo now reads like an actual OSS project, fresh installs match the current feature set, and auth switching is less fragile ahead of the 0.9.2 release
+
 
 # [2026-01-07] Dev Log: Fix version-upgrade build resilience
 - Why: `make versions-up` exited 56 during GitHub API changelog fetch - GitHub API 403 rate limit (60/hour) from unauthenticated curl

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 The Vibe Works
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.