From 4818810c96a59c3ef90badadbc1127b03b544509 Mon Sep 17 00:00:00 2001
From: David Dada <daveproxy80@gmail.com>
Date: Mon, 15 Jun 2026 12:49:41 +0100
Subject: [PATCH] chore: add CI, contributing guide, code of conduct, security
 policy

---
 .github/PULL_REQUEST_TEMPLATE.md | 24 +++++++++++++++++++
 .github/workflows/ci.yml         | 29 +++++++++++++++++++++++
 CODE_OF_CONDUCT.md               |  9 +++++++
 CONTRIBUTING.md                  | 40 ++++++++++++++++++++++++++++++++
 SECURITY.md                      | 13 +++++++++++
 5 files changed, 115 insertions(+)
 create mode 100644 .github/PULL_REQUEST_TEMPLATE.md
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 CODE_OF_CONDUCT.md
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..fb88442
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,24 @@
+<!-- Keep PRs focused — one issue each. -->
+
+## Summary
+
+<!-- What does this change and why? -->
+
+## Linked issue
+
+Closes #<!-- issue number -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] Feature
+- [ ] Tests
+- [ ] Docs / chore
+
+## Checklist
+
+- [ ] Tied to an accepted issue (`Closes #…`)
+- [ ] Tests pass locally
+- [ ] New behaviour is covered by tests
+- [ ] No secrets committed
+- [ ] Docs updated where relevant
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..a1d69fc
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,29 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build
+        run: bun run build
+
+      - name: Test
+        run: bun run test
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..db21574
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,9 @@
+# Code of Conduct
+
+This project adopts the **Contributor Covenant, version 2.1** as its code of conduct. By participating, you are expected to uphold it.
+
+Read the full text here: https://www.contributor-covenant.org/version/2/1/code_of_conduct/
+
+## Reporting
+
+If you experience or witness unacceptable behaviour, report it privately to the maintainers at **daveproxy80@gmail.com**. All reports are reviewed and handled confidentially.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..82361e1
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,40 @@
+# Contributing to Heliobond backend
+
+This is the Heliobond backend — a Stellar indexer, REST API, and the oracle that scores projects on credit quality and green impact. TypeScript on Express, run with bun. Thanks for helping out.
+
+## Pick something to work on
+
+Browse [open issues](https://github.com/heliobond/backend/issues). Issues tagged **good first issue** are scoped for newcomers; **help wanted** are ready for anyone. Each issue has scope, acceptance criteria, and file pointers. Comment to claim it before you start.
+
+## Setup
+
+```bash
+bun install
+bun run dev      # start the API with the hourly cron
+bun run test     # jest suite
+bun run build    # tsc
+```
+
+## Workflow
+
+1. Fork and branch from `main` (`feat/…`, `fix/…`, `test/…`).
+2. Make your change. Keep it scoped to one issue.
+3. Run the quality gate locally before pushing:
+   ```bash
+   bun run build    # must type-check
+   bun run test     # all tests must pass
+   ```
+4. Open a PR with `Closes #<issue>`. CI runs `bun install`, `bun run build`, and `bun run test` — all must be green.
+
+## Quality bar
+
+- **Type-safe** — `bun run build` (tsc) must pass; no `any` escape hatches without a reason.
+- **Tested** — new routes and logic need tests. We use jest + supertest; see `src/__tests__/`.
+- **Validated input** — validate request bodies and params at the boundary; return structured JSON errors, never raw stack traces.
+- **No secrets in code** — keys and RPC URLs come from the environment (`.env`), never committed.
+
+## Reporting issues
+
+Bugs and ideas: [open an issue](https://github.com/heliobond/backend/issues/new). Security problems: see [SECURITY.md](./SECURITY.md) — report privately, not in a public issue.
+
+By contributing you agree your work is licensed under [Apache-2.0](./LICENSE), and you agree to the [Code of Conduct](./CODE_OF_CONDUCT.md).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..ee26fc2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security policy
+
+## Reporting a vulnerability
+
+Please **do not** open a public issue for security problems.
+
+Report privately through GitHub: go to the repository's **Security** tab → **Report a vulnerability** (this opens a private advisory). If you can't use that, email **daveproxy80@gmail.com**.
+
+Include what you can: affected component, steps to reproduce, and impact. We aim to acknowledge within a few days and will coordinate a fix and disclosure with you.
+
+## Scope
+
+This is testnet, pre-production software. The smart contracts have not yet been audited. Treat anything on-chain as experimental until a release notes otherwise.