Files
Tirth Kanani aef940fcde chore(repo): add issue/PR templates, SECURITY.md, CoC, package metadata; widen CI triggers
Closes a cluster of community-profile gaps (#248, #249, #251, #252) in one
PR rather than four micro-PRs that all touch the same surface area.

### Templates (#251, #252)

- .github/ISSUE_TEMPLATE/bug_report.yml — required fields for repro
  (plugin version, platform, OS, project language, file count); the four
  pieces of context that are missing from ~every current bug report.
- .github/ISSUE_TEMPLATE/feature_request.yml — leads with the *problem*
  rather than the proposed solution, which keeps maintainer review focused
  on whether to solve, not just how.
- .github/ISSUE_TEMPLATE/question.yml — separate from bug to keep the
  bug queue triagable.
- .github/ISSUE_TEMPLATE/config.yml — disables blank issues and routes
  general discussion to README + Discussions.
- .github/PULL_REQUEST_TEMPLATE.md — includes the version-bump checklist
  that CLAUDE.md says must stay in sync across 5 manifests; otherwise
  every contributor learns this rule by getting their PR bounced.

### Community files

- CODE_OF_CONDUCT.md — short, project-specific document that names the
  expectations and reporting path. Not a verbatim Contributor Covenant
  to keep it readable.
- SECURITY.md — describes the project's local-only threat model
  explicitly so reporters know what's in / out of scope before they
  spend time on a writeup. Points at GitHub private vulnerability
  reporting as the primary channel.

### CI (#249)

- ci.yml now also runs on pushes to main, not only PRs. Without this,
  a direct push to main (which happens when maintainers merge a PR
  branch locally) doesn't trigger CI, so a regression can land green-
  looking and stay broken for days.
- Added a concurrency group that cancels stale runs for the same ref.
  Saves runner minutes and keeps the per-ref status meaningful.
- Used `github.ref` (a controlled value), not user-controlled input,
  so no script-injection surface.

### package.json (#248)

- Added description, license, repository, bugs, homepage, keywords —
  the standard set for npm package discoverability and so GitHub's
  community-profile check shows the project at 100%.
2026-05-31 21:29:13 +01:00

1.5 KiB

Code of Conduct

We want this project to be a welcoming place for everyone who wants to contribute, learn, or use it — regardless of experience level, background, or identity.

In short

  • Be respectful. Treat others the way you'd want to be treated.
  • Assume good intent. Most disagreements are misunderstandings.
  • Be constructive. Critique ideas, not people. Suggest improvements.
  • Keep it on-topic. This project is about understanding codebases.

What's not OK

  • Personal attacks, insults, or sustained disruption of discussions.
  • Posting someone's private information without their explicit permission.
  • Repeatedly ignoring requests from maintainers to change behavior.

Reporting

If you see behavior that violates this code, please open a private email to the maintainer listed in the repository profile, or use GitHub's private vulnerability / abuse reporting.

Maintainers will review reports and take whatever action they think is appropriate — typically a private warning, sometimes a temporary or permanent ban from the project. Reports will be kept confidential.

Scope

This code applies in all project spaces: issues, pull requests, discussions, commits, and any other project-affiliated channel.


This document is intentionally short. It's based on the spirit of the Contributor Covenant without reproducing it verbatim.