docs: add repository governance files

Pigbibi · Pigbibi · commit 570fbcd9feed · 2026-03-30T21:46:06.000+08:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @Pigbibi
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: "npm"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 5
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 5
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,24 @@
+# Contributing
+
+Thanks for contributing to `SchwabTokenAutoRefresher`.
+
+## Ground Rules
+
+- Prefer small, low-risk pull requests.
+- Keep refactors separate from behavior changes.
+- Add or update tests when changing runtime behavior.
+- Do not use deployment or scheduled workflows as a substitute for local verification.
+
+## Branching and Pull Requests
+
+- Create a topic branch for each change.
+- Open a pull request with a short summary and a concrete test plan.
+- Wait for CI to pass before merging.
+
+## Local Verification
+
+Run the main verification command before opening a pull request:
+
+```bash
+npm install && node --check main.js && bash tests/test_workflow_config_sources.sh
+```
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+Thanks for helping keep `SchwabTokenAutoRefresher` safe.
+
+This repository is part of a automation utility. Please do **not** open a public issue for vulnerabilities involving credentials, broker access, cloud resources, order execution, or secret material.
+
+## Reporting a Vulnerability
+
+- Contact the maintainer directly at GitHub: `@Pigbibi`.
+- If private vulnerability reporting is enabled for this repository, prefer that channel.
+- Include the repository name, affected commit or branch, environment details, and exact reproduction steps.
+
+## Secret and Credential Exposure
+
+If you suspect tokens, passwords, API keys, service-account keys, or broker credentials were exposed:
+
+1. Rotate the exposed secrets immediately.
+2. Pause scheduled jobs or deployments if the exposure can affect automation or trading behavior.
+3. Share only the minimum evidence needed to reproduce the issue.
+
+## Scope Notes
+
+Security fixes should stay minimal and focused. Please avoid bundling unrelated refactors with a security report or patch.
