chore: CI and contributor governance

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,24 @@
+<!-- Keep PRs focused — one issue each. -->
+
+## Summary
+
+<!-- What does this change and why? -->
+
+## Linked issue
+
+Closes #<!-- issue number -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] Feature
+- [ ] Tests
+- [ ] Docs / chore
+
+## Checklist
+
+- [ ] Tied to an accepted issue (`Closes #…`)
+- [ ] Tests pass locally
+- [ ] New behaviour is covered by tests
+- [ ] No secrets committed
+- [ ] Docs updated where relevant

.github/workflows/ci.yml

@@ -0,0 +1,29 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build
+        run: bun run build
+
+      - name: Test
+        run: bun run test

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# Code of Conduct
+
+This project adopts the **Contributor Covenant, version 2.1** as its code of conduct. By participating, you are expected to uphold it.
+
+Read the full text here: https://www.contributor-covenant.org/version/2/1/code_of_conduct/
+
+## Reporting
+
+If you experience or witness unacceptable behaviour, report it privately to the maintainers at **daveproxy80@gmail.com**. All reports are reviewed and handled confidentially.

CONTRIBUTING.md

@@ -0,0 +1,40 @@
+# Contributing to Heliobond backend
+
+This is the Heliobond backend — a Stellar indexer, REST API, and the oracle that scores projects on credit quality and green impact. TypeScript on Express, run with bun. Thanks for helping out.
+
+## Pick something to work on
+
+Browse [open issues](https://github.com/heliobond/backend/issues). Issues tagged **good first issue** are scoped for newcomers; **help wanted** are ready for anyone. Each issue has scope, acceptance criteria, and file pointers. Comment to claim it before you start.
+
+## Setup
+
+```bash
+bun install
+bun run dev      # start the API with the hourly cron
+bun run test     # jest suite
+bun run build    # tsc
+```
+
+## Workflow
+
+1. Fork and branch from `main` (`feat/…`, `fix/…`, `test/…`).
+2. Make your change. Keep it scoped to one issue.
+3. Run the quality gate locally before pushing:
+   ```bash
+   bun run build    # must type-check
+   bun run test     # all tests must pass
+   ```
+4. Open a PR with `Closes #<issue>`. CI runs `bun install`, `bun run build`, and `bun run test` — all must be green.
+
+## Quality bar
+
+- **Type-safe** — `bun run build` (tsc) must pass; no `any` escape hatches without a reason.
+- **Tested** — new routes and logic need tests. We use jest + supertest; see `src/__tests__/`.
+- **Validated input** — validate request bodies and params at the boundary; return structured JSON errors, never raw stack traces.
+- **No secrets in code** — keys and RPC URLs come from the environment (`.env`), never committed.
+
+## Reporting issues
+
+Bugs and ideas: [open an issue](https://github.com/heliobond/backend/issues/new). Security problems: see [SECURITY.md](./SECURITY.md) — report privately, not in a public issue.
+
+By contributing you agree your work is licensed under [Apache-2.0](./LICENSE), and you agree to the [Code of Conduct](./CODE_OF_CONDUCT.md).

SECURITY.md

@@ -0,0 +1,13 @@
+# Security policy
+
+## Reporting a vulnerability
+
+Please **do not** open a public issue for security problems.
+
+Report privately through GitHub: go to the repository's **Security** tab → **Report a vulnerability** (this opens a private advisory). If you can't use that, email **daveproxy80@gmail.com**.
+
+Include what you can: affected component, steps to reproduce, and impact. We aim to acknowledge within a few days and will coordinate a fix and disclosure with you.
+
+## Scope
+
+This is testnet, pre-production software. The smart contracts have not yet been audited. Treat anything on-chain as experimental until a release notes otherwise.