docs: add community health files and update CoC to v2.1

Add CONTRIBUTING.md, SECURITY.md, and pull request template.
Update Code of Conduct attribution from v2.0 to v2.1.

Author: Dxsk

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,26 @@
+## Description
+
+<!-- What does this PR do? Why is it needed? -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New content (quest, cheatsheet)
+- [ ] Content improvement (typo, clarity, accuracy)
+- [ ] Translation (FR/EN parity)
+- [ ] Accessibility improvement
+- [ ] Verification script update
+- [ ] Website (CSS, JS, templates)
+- [ ] CI/CD or tooling
+- [ ] Other
+
+## Related issue
+
+<!-- Link the issue this PR addresses: Fixes #123 -->
+
+## Checklist
+
+- [ ] I have read the [Contributing guidelines](../CONTRIBUTING.md)
+- [ ] `npm run check` passes locally
+- [ ] If I changed content in one language, I updated the other language too
+- [ ] If I added/modified a quest, I updated both `verifier.sh` and `verifier.ps1`

CODE_OF_CONDUCT.md

@@ -115,8 +115,8 @@ the community.
 ## Attribution
 
 This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
 
 Community Impact Guidelines were inspired by [Mozilla's code of conduct
 enforcement ladder](https://github.com/mozilla/diversity).

CONTRIBUTING.md

@@ -0,0 +1,89 @@
+# Contributing to Git Chronicles
+
+First off, thanks for taking the time to contribute! This project started as a learning resource for friends and colleagues, and community contributions help make it better for everyone.
+
+## Code of Conduct
+
+This project follows the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. Please report unacceptable behavior to daihyxsk+coc.github@pm.me.
+
+## How can I contribute?
+
+### Reporting bugs
+
+Use the [Bug Report](https://github.com/Dxsk/git-chronicles/issues/new?template=bug_report.yml) issue template. Include:
+- The affected page or quest
+- The language (FR/EN)
+- Steps to reproduce
+- Screenshots if relevant
+
+### Suggesting improvements
+
+Use the [Content Improvement](https://github.com/Dxsk/git-chronicles/issues/new?template=content_improvement.yml) or [Feature Request](https://github.com/Dxsk/git-chronicles/issues/new?template=feature_request.yml) issue templates.
+
+### Submitting changes
+
+1. **Open an issue first** to discuss the change you'd like to make.
+2. Fork the repository and create a branch from `main`.
+3. Make your changes.
+4. Run the checks before submitting:
+   ```bash
+   npm run check
+   ```
+   This runs i18n parity checks, the build, link checking, and accessibility checks.
+5. Open a Pull Request referencing the related issue.
+
+## Development setup
+
+```bash
+git clone https://github.com/<your-fork>/git-chronicles.git
+cd git-chronicles
+npm install
+npm run dev    # Local server with hot reload
+```
+
+Requires **Node.js 18+**.
+
+## Project structure
+
+```
+src/
+  fr/quetes/        # French quest content (Nunjucks templates)
+  en/quests/        # English quest content
+  assets/           # CSS, JS (vanilla, no dependencies)
+exercises/
+  */verifier.sh     # Bash verification scripts
+  */verifier.ps1    # PowerShell verification scripts
+themes/fantasy/     # Theme messages (i18n)
+```
+
+## Content guidelines
+
+### Bilingual content
+
+The course is bilingual (FR/EN). If you modify quest content in one language, the corresponding content in the other language should also be updated. The `npm run check:i18n` script verifies parity between both languages.
+
+### Writing style
+
+- Keep explanations clear and beginner-friendly.
+- Use the fantasy narrative tone (guilds, quests, scrolls) to stay consistent with the rest of the course.
+- Explain the *why*, not just the *how*.
+- Include practical examples whenever possible.
+
+### Verification scripts
+
+Each quest has verification scripts in both Bash (`verifier.sh`) and PowerShell (`verifier.ps1`). If you add or modify a quest, update both scripts. They support `--lang fr` and `--lang en` flags.
+
+## Types of welcome contributions
+
+- Fixing typos or unclear explanations
+- Improving accessibility
+- Adding or improving translations
+- Writing new quests or bonus quests
+- Improving verification scripts
+- Fixing CSS/JS issues
+
+## Licenses
+
+By contributing, you agree that your contributions will be licensed under:
+- **[MIT](LICENSE-MIT)** for code (scripts, CSS, JS, templates)
+- **[CC BY-SA 4.0](LICENSE-CC-BY-SA)** for content (quest texts, cheatsheets, narratives)

SECURITY.md

@@ -0,0 +1,40 @@
+# Security Policy
+
+## Supported versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+
+Only the latest version deployed on [git.learning.dxscloud.fr](https://git.learning.dxscloud.fr) is supported.
+
+## Reporting a vulnerability
+
+If you discover a security vulnerability, **please do not open a public issue**.
+
+Instead, report it privately by emailing **daihyxsk+security.github@pm.me**.
+
+Please include:
+- A description of the vulnerability
+- Steps to reproduce it
+- The potential impact
+- A suggested fix (if you have one)
+
+## Response timeline
+
+- **Acknowledgment**: within 72 hours
+- **Assessment**: within 1 week
+- **Fix or mitigation**: as soon as reasonably possible
+
+## Scope
+
+This is a static educational website with no user accounts, databases, or server-side processing. The main security concerns are:
+
+- XSS vulnerabilities in the generated static site
+- Malicious content in verification scripts (Bash/PowerShell)
+- Supply chain issues in npm dependencies
+- GitHub Actions workflow security
+
+## Disclosure
+
+We follow coordinated disclosure. Once a fix is deployed, we will credit the reporter (unless they prefer to remain anonymous).