copy documents form mcp optimizer

Author: kantord

CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at <code-of-conduct@stacklok.com>. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -0,0 +1,82 @@
+# Contributing to `mcp-shell` <!-- omit from toc -->
+
+First off, thank you for taking the time to contribute to MCP Shell! :+1: :tada: MCP Shell is released under the Apache 2.0 license.
+If you would like to contribute something or want to hack on the code, this
+document should help you get started. You can find some hints for starting
+development in mcp-shell's
+[README](https://github.com/StacklokLabs/mcp-shell/blob/main/README.md).
+
+## Table of contents <!-- omit from toc -->
+
+- [Code of conduct](#code-of-conduct)
+- [Reporting security vulnerabilities](#reporting-security-vulnerabilities)
+- [How to contribute](#how-to-contribute)
+  - [Using GitHub Issues](#using-github-issues)
+  - [Not sure how to start contributing?](#not-sure-how-to-start-contributing)
+  - [Pull request process](#pull-request-process)
+  - [Commit message guidelines](#commit-message-guidelines)
+
+## Code of conduct
+
+This project adheres to the
+[Contributor Covenant](https://github.com/StacklokLabs/mcp-shell/blob/main/CODE_OF_CONDUCT.md)
+code of conduct. By participating, you are expected to uphold this code. Please
+report unacceptable behavior to
+[code-of-conduct@stacklok.com](mailto:code-of-conduct@stacklok.com).
+
+## Reporting security vulnerabilities
+
+If you think you have found a security vulnerability in mcp-shell please DO
+NOT disclose it publicly until we've had a chance to fix it. Please don't report
+security vulnerabilities using GitHub issues; instead, please follow this
+[process](https://github.com/StacklokLabs/mcp-shell/blob/main/SECURITY.md)
+
+## How to contribute
+
+### Using GitHub Issues
+
+We use GitHub issues to track bugs and enhancements. If you have a general usage
+question, please ask in the #mcp-servers channel of the
+[Stacklok Discord server](https://discord.gg/stacklok).
+
+If you are reporting a bug, please help to speed up problem diagnosis by
+providing as much information as possible. Ideally, that would include a small
+sample project that reproduces the problem.
+
+### Not sure how to start contributing?
+
+PRs to resolve existing issues are greatly appreciated and issues labeled as
+["good first issue"](https://github.com/StacklokLabs/mcp-shell/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
+are a great place to start!
+
+### Pull request process
+
+- All commits must include a Signed-off-by trailer at the end of each commit
+  message to indicate that the contributor agrees to the Developer Certificate
+  of Origin. For additional details, check out the [DCO instructions](dco.md).
+
+- Create an issue outlining the fix or feature.
+- Fork the mcp-shell repository to your own GitHub account and clone it
+  locally.
+- Hack on your changes.
+- Correctly format your commit messages, see
+  [Commit message guidelines](#commit-message-guidelines) below.
+- Open a PR by ensuring the title and its description reflect the content of the
+  PR.
+- Ensure that CI passes, if it fails, fix the failures.
+- Every pull request requires a review from the core mcp-shell team before
+  merging.
+- Once approved, all of your commits will be squashed into a single commit with
+  your PR title.
+
+### Commit message guidelines
+
+We follow the commit formatting recommendations found on
+[Chris Beams' How to Write a Git Commit Message article](https://chris.beams.io/posts/git-commit/):
+
+1. Separate subject from body with a blank line
+1. Limit the subject line to 50 characters
+1. Capitalize the subject line
+1. Do not end the subject line with a period
+1. Use the imperative mood in the subject line
+1. Use the body to explain what and why vs. how

SECURITY.md

@@ -0,0 +1,153 @@
+# Security Policy
+
+The StacklokLabs community take security seriously! We appreciate your efforts
+to disclose your findings responsibly and will make every effort to acknowledge
+your contributions.
+
+## Reporting a vulnerability
+
+To report a security issue, please use the GitHub Security Advisory
+["Report a Vulnerability"](https://github.com/StacklokLabs/mcp-shell/security/advisories/new)
+tab.
+
+If you are unable to access GitHub you can also email us at
+[security@stacklok.com](mailto:security@stacklok.com).
+
+Include steps to reproduce the vulnerability, the vulnerable versions, and any
+additional files to reproduce the vulnerability.
+
+If you are only comfortable sharing under GPG, please start by sending an email
+requesting a public PGP key to use for encryption.
+
+### Contacting the StacklokLabs security team
+
+Contact the team by sending email to
+[security@stacklok.com](mailto:security@stacklok.com).
+
+## Disclosures
+
+### Private disclosure processes
+
+The StacklokLabs community asks that all suspected vulnerabilities be handled in
+accordance with
+[Responsible Disclosure model](https://en.wikipedia.org/wiki/Responsible_disclosure).
+
+### Public disclosure processes
+
+If anyone knows of a publicly disclosed security vulnerability please
+IMMEDIATELY email [security@stacklok.com](mailto:security@stacklok.com) to
+inform us about the vulnerability so that we may start the patch, release, and
+communication process.
+
+If a reporter contacts us to express intent to make an issue public before a
+fix is available, we will request if the issue can be handled via a private
+disclosure process. If the reporter denies the request, we will move swiftly
+with the fix and release process.
+
+## Patch, release, and public communication
+
+For each vulnerability, the StacklokLabs security team will coordinate to create
+the fix and release, and notify the rest of the community.
+
+All of the timelines below are suggestions and assume a Private Disclosure.
+
+- The security team drives the schedule using their best judgment based on
+  severity, development time, and release work.
+- If the security team is dealing with a Public Disclosure all timelines become
+  ASAP.
+- If the fix relies on another upstream project's disclosure timeline, that will
+  adjust the process as well.
+- We will work with the upstream project to fit their timeline and best protect
+  StacklokLabs users.
+- The Security team will give advance notice to the Private Distributors list
+  before the fix is released.
+
+### Fix team organization
+
+These steps should be completed within the first 24 hours of Disclosure.
+
+- The security team will work quickly to identify relevant engineers from the
+  affected projects and packages and bring those engineers into the
+  [security advisory](https://docs.github.com/en/code-security/security-advisories/)
+  thread.
+- These selected developers become the "Fix Team" (the fix team is often drawn
+  from the projects MAINTAINERS)
+
+### Fix development process
+
+These steps should be completed within the 1-7 days of Disclosure.
+
+- Create a new
+  [security advisory](https://docs.github.com/en/code-security/security-advisories/)
+  in affected repository by visiting
+  `https://github.com/StacklokLabs/mcp-shell/security/advisories/new`
+- As many details as possible should be entered such as versions affected, CVE
+  (if available yet). As more information is discovered, edit and update the
+  advisory accordingly.
+- Use the CVSS calculator to score a severity level.
+- Add collaborators from codeowners team only (outside members can only be added
+  after approval from the security team)
+- The reporter may be added to the issue to assist with review, but **only
+  reporters who have contacted the security team using a private channel**.
+- Select 'Request CVE'
+- The security team / Fix Team create a private temporary fork
+- The Fix team performs all work in a 'security advisory' within its temporary
+  fork
+- CI can be checked locally using the [act](https://github.com/nektos/act)
+  project
+- All communication happens within the security advisory, it is _not_ discussed
+  in slack channels or non private issues.
+- The Fix Team will notify the security team that work on the fix branch is
+  completed, this can be done by tagging names in the advisory
+- The Fix team and the security team will agree on fix release day
+- The recommended release time is 4pm UTC on a non-Friday weekday. This means
+  the announcement will be seen morning Pacific, early evening Europe, and late
+  evening Asia.
+
+If the CVSS score is under ~4.0
+([a low severity score](https://www.first.org/cvss/specification-document#i5))
+or the assessed risk is low the Fix Team can decide to slow the release process
+down in the face of holidays, developer bandwidth, etc.
+
+Note: CVSS is convenient but imperfect. Ultimately, the security team has
+discretion on classifying the severity of a vulnerability.
+
+The severity of the bug and related handling decisions must be discussed in
+the security advisory, never in public repos.
+
+### Fix disclosure process
+
+With the Fix Development underway, the security team needs to come up with an
+overall communication plan for the wider community. This Disclosure process
+should begin after the Fix Team has developed a Fix or mitigation so that a
+realistic timeline can be communicated to users.
+
+**Fix release day** (Completed within 1-21 days of Disclosure)
+
+- The Fix Team will approve the related pull requests in the private temporary
+  branch of the security advisory
+- The security team will merge the security advisory / temporary fork and its
+  commits into the main branch of the affected repository
+- The security team will ensure all the binaries are built, signed, publicly
+  available, and functional.
+- The security team will announce the new releases, the CVE number, severity,
+  and impact, and the location of the binaries to get wide distribution and user
+  action. As much as possible this announcement should be actionable, and
+  include any mitigating steps users can take prior to upgrading to a fixed
+  version. An announcement template is available below. The announcement will be
+  sent to the following channels:
+- A link to fix will be posted to the
+  [Stacklok Discord Server](https://discord.gg/stacklok) in the #mcp-servers
+  channel.
+
+## Retrospective
+
+These steps should be completed 1-3 days after the Release Date. The
+retrospective process
+[should be blameless](https://landing.google.com/sre/book/chapters/postmortem-culture.html).
+
+- The security team will send a retrospective of the process to the
+  [Stacklok Discord Server](https://discord.gg/stacklok) including details on
+  everyone involved, the timeline of the process, links to relevant PRs that
+  introduced the issue, if relevant, and any critiques of the response and
+  release process.

dco.md

@@ -0,0 +1,52 @@
+# Developer Certificate of Origin (DCO)
+
+In order to contribute to the project, you must agree to the Developer
+Certificate of Origin. A
+[Developer Certificate of Origin (DCO)](https://developercertificate.org/) is an
+affirmation that the developer contributing the proposed changes has the
+necessary rights to submit those changes. A DCO provides some additional legal
+protections while being relatively easy to do.
+
+The entire DCO can be summarized as:
+
+- Certify that the submitted code can be submitted under the open source license
+  of the project (e.g. Apache 2.0)
+- I understand that what I am contributing is public and will be redistributed
+  indefinitely
+
+## How to Use Developer Certificate of Origin
+
+In order to contribute to the project, you must agree to the Developer
+Certificate of Origin. To confirm that you agree, your commit message must
+include a Signed-off-by trailer at the bottom of the commit message.
+
+For example, it might look like the following:
+
+```bash
+A commit message
+
+Closes gh-345
+
+Signed-off-by: jane marmot <jmarmot@example.org>
+```
+
+The Signed-off-by [trailer](https://git-scm.com/docs/git-interpret-trailers) can
+be added automatically by using the
+[-s or –signoff command line option](https://git-scm.com/docs/git-commit/2.13.7#Documentation/git-commit.txt--s)
+when specifying your commit message:
+
+```bash
+git commit -s -m
+```
+
+If you have chosen the
+[Keep my email address private](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#about-commit-email-addresses)
+option within GitHub, the Signed-off-by trailer might look something like:
+
+```bash
+A commit message
+
+Closes gh-345
+
+Signed-off-by: jane marmot <462403+jmarmot@users.noreply.github.com>
+```