Add standard OSS repo files

kiyeonjeon21 · claude · kiyeonjeon21 · commit c0d5c5787c57 · 2026-04-19T17:25:13.000+09:00
- CODE_OF_CONDUCT.md       — Contributor Covenant 2.1 adoption
- SECURITY.md              — private GHSA advisory flow + scope
- .github/workflows/ci.yml — typecheck + build on push / PR, Node 20 &amp; 22
- .github/ISSUE_TEMPLATE/skill_request.md — separate from connector_request;
  scoped to "MCP server I want a skill for"

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/ISSUE_TEMPLATE/skill_request.md b/.github/ISSUE_TEMPLATE/skill_request.md
@@ -0,0 +1,42 @@
+---
+name: Skill request
+about: Propose a skill for a specific MCP server (Notion, Linear, Slack, Gmail, ...)
+labels: skill
+---
+
+## MCP server
+
+<!-- Name + install command of the MCP server. Link to its repo if possible. -->
+
+Example: `@anthropic/notion-mcp` — `npx -y @anthropic/notion-mcp`
+
+## What the skill should extract
+
+<!-- Which MCP tools get called, and how their results map to graph shape. -->
+
+- Tools to call:
+  - `list_databases` → ?
+  - `query_database` → one event per page?
+- Entities to emit:
+  - `person` for page authors?
+  - `concept` for tags?
+- Relations:
+  - `involves` from page event → author person?
+
+## Auth model
+
+- [ ] Public / keyless
+- [ ] API key (single env var)
+- [ ] OAuth flow (requires `requiredEnv` + external login)
+- [ ] Local export file
+
+## Willing to contribute?
+
+- [ ] I can write the skill
+- [ ] I can test against real data once someone else writes it
+- [ ] Just filing the request
+
+## Related
+
+<!-- Existing skill files in examples/skills/ that would inform this one,
+or issues with similar shape. -->
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node: [20, 22]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+          cache: npm
+      - run: npm ci
+      - run: npm run typecheck
+      - run: npm run build
+      - name: CLI smoke test
+        run: |
+          node dist/index.js --version
+          node dist/index.js --help
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,35 @@
+# Code of Conduct
+
+## Our pledge
+
+We pledge to make participation in the contextix community a welcoming, harassment-free experience for everyone — regardless of experience level, background, identity, or expression.
+
+## Our standards
+
+Behavior that helps:
+- Assume good intent when reading others' words
+- Keep critique on the idea / code, not the person
+- Accept constructive feedback gracefully
+- Ask questions in public channels — someone else probably has the same one
+- Credit others' work
+
+Behavior that doesn't belong here:
+- Personal attacks, insults, or political / identity-based hostility
+- Public or private harassment
+- Publishing others' private information without explicit consent
+- Sexualized language or imagery
+- Conduct which could reasonably be considered inappropriate in a professional setting
+
+## Scope
+
+This applies to all project spaces — repo, issues, pull requests, Discussions, any official Discord/Slack — and to public spaces when an individual is representing contextix.
+
+## Enforcement
+
+Report abusive, harassing, or otherwise unacceptable behavior to the maintainers at the email listed on the [npm package](https://www.npmjs.com/package/contextix) or by opening a private GitHub security advisory. All reports are reviewed and investigated promptly and confidentially.
+
+Maintainers who do not follow or enforce this code in good faith may face temporary or permanent consequences as determined by other maintainers.
+
+## Attribution
+
+Adapted from the [Contributor Covenant](https://www.contributor-covenant.org) v2.1.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,40 @@
+# Security policy
+
+## Supported versions
+
+The latest `0.x.y` release on npm receives security fixes. Older minor versions do not.
+
+## Reporting a vulnerability
+
+Please do **not** open a public issue for security-sensitive reports.
+
+Use GitHub's private security advisory flow:
+1. Go to https://github.com/vericontext/contextix/security/advisories/new
+2. Describe the issue, the affected version, and a proof-of-concept if you have one
+3. Maintainers respond within 7 days
+
+If you can't use GitHub advisories, email the maintainer listed on the [npm package page](https://www.npmjs.com/package/contextix).
+
+## Scope
+
+Security issues of interest:
+- **Code execution** — a crafted skill file, source fetch, or MCP server response causes unintended code execution on the host
+- **Data exfiltration** — extractor / ingest path leaks `ANTHROPIC_API_KEY` or other env values into emitted graph content, logs, or outbound requests
+- **Path traversal** — `ingest markdown` or similar reads outside the intended directory
+- **Supply chain** — a dependency update introduces a malicious change
+- **Denial of service** — adversarial input to any connector that locks up or exhausts memory on reasonable inputs
+
+Out of scope:
+- Bugs in upstream MCP servers (report to their maintainers)
+- Misconfigured skill files that leak your own credentials — that's an authoring issue
+- Known issues already tracked in public advisories
+
+## Disclosure process
+
+1. You report privately
+2. We confirm the issue and assess severity
+3. We prepare a fix + a patch release
+4. We publish a public GHSA advisory crediting the reporter (opt-in)
+5. We push the fixed version to npm
+
+Target timeline: **14 days** from report to fix for high / critical severity; longer for low / informational.
