diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..943acd4
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @Pigbibi
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..3e9b8d8
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: "npm"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 5
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..80bf67d
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,29 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install dependencies
+        run: |
+          set -euo pipefail
+          npm install
+
+      - name: Run checks
+        run: |
+          set -euo pipefail
+          node --check main.js
+          bash tests/test_workflow_config_sources.sh
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..1e658db
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,24 @@
+# Contributing
+
+Thanks for contributing to `SchwabTokenAutoRefresher`.
+
+## Ground Rules
+
+- Prefer small, low-risk pull requests.
+- Keep refactors separate from behavior changes.
+- Add or update tests when changing runtime behavior.
+- Do not use deployment or scheduled workflows as a substitute for local verification.
+
+## Branching and Pull Requests
+
+- Create a topic branch for each change.
+- Open a pull request with a short summary and a concrete test plan.
+- Wait for CI to pass before merging.
+
+## Local Verification
+
+Run the main verification command before opening a pull request:
+
+```bash
+npm install && node --check main.js && bash tests/test_workflow_config_sources.sh
+```
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..61c7ad0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+Thanks for helping keep `SchwabTokenAutoRefresher` safe.
+
+This repository is part of a automation utility. Please do **not** open a public issue for vulnerabilities involving credentials, broker access, cloud resources, order execution, or secret material.
+
+## Reporting a Vulnerability
+
+- Contact the maintainer directly at GitHub: `@Pigbibi`.
+- If private vulnerability reporting is enabled for this repository, prefer that channel.
+- Include the repository name, affected commit or branch, environment details, and exact reproduction steps.
+
+## Secret and Credential Exposure
+
+If you suspect tokens, passwords, API keys, service-account keys, or broker credentials were exposed:
+
+1. Rotate the exposed secrets immediately.
+2. Pause scheduled jobs or deployments if the exposure can affect automation or trading behavior.
+3. Share only the minimum evidence needed to reproduce the issue.
+
+## Scope Notes
+
+Security fixes should stay minimal and focused. Please avoid bundling unrelated refactors with a security report or patch.