chore(standards): apply doctrine-aligned baseline updates (#1)

tinmanworks · web-flow · commit 9879e6dcbc51 · 2026-03-02T01:40:58.000+01:00
* chore(standards): apply doctrine-aligned baseline updates

* ci(stack): remove lockfile-dependent node cache setting
diff --git a/.github/workflows/ci-stack.yml b/.github/workflows/ci-stack.yml
@@ -0,0 +1,36 @@
+name: CI (Stack)
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  stack-gated:
+    name: stack-gated
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10.6.3
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install
+        run: pnpm install
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Test
+        run: pnpm test
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Build
+        run: pnpm build
diff --git a/README.md b/README.md
@@ -14,6 +14,13 @@ Generalized modular product web app template using Next.js and TypeScript.
 - A baseline app shell for feature-module oriented products.
 - Includes neutral module registry contracts and extension seams.
 
+## Use This Template
+
+1. Click **Use this template** on GitHub to create a new repository.
+2. Rename package/module identifiers and update ownership metadata.
+3. Review `.env.example` and update environment configuration for your target project.
+4. Run validation and CI checks before first release.
+
 ## Quickstart
 
 ### Prerequisites
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Reporting a Vulnerability
+Please report suspected security vulnerabilities privately and do not open public issues containing exploit details.
+
+Use the maintainers channel for this repository and include:
+- affected repository and commit/tag
+- impact summary
+- reproduction details
+- proposed mitigation (if available)
+
+## Disclosure Expectations
+- We will acknowledge receipt as quickly as possible.
+- We will triage, validate, and prioritize remediation based on impact.
+- Coordinated disclosure is expected; avoid public disclosure until a fix or mitigation is available.
+
+## Scope
+This policy applies to source code, workflows, and release artifacts maintained in this repository.
