chore(oss): add governance files (SECURITY, CONTRIBUTING, CODEOWNERS, templates)

.github/CODEOWNERS

@@ -0,0 +1,27 @@
+# Global fallback
+* @v1truv1us
+
+# Core commands
+/cmd/ @v1truv1us
+
+# Ritual system
+/internal/ritual/ @v1truv1us
+
+# Time tracking
+/internal/time/ @v1truv1us
+
+# Project detection
+/internal/project/ @v1truv1us
+
+# Integrations (Git, Slack, Calendar)
+/internal/integrations/ @v1truv1us
+
+# Configuration
+/configs/ @v1truv1us
+
+# CI/CD
+/.github/workflows/ @v1truv1us
+
+# Documentation
+*.md @v1truv1us
+SECURITY.md @v1truv1us

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,45 @@
+name: Bug Report
+description: Report a bug in rune
+title: "[Bug]: "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug!
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      placeholder: "0.1.0"
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: OS
+      options:
+        - macOS
+        - Linux
+        - Windows
+  - type: textarea
+    id: description
+    attributes:
+      label: Bug Description
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to Reproduce
+      placeholder: |
+        1. rune start
+        2. ...
+    validations:
+      required: true
+  - type: textarea
+    id: config
+    attributes:
+      label: Config
+      description: Relevant config from ~/.rune/config.yaml
+      render: yaml

.github/pull_request_template.md

@@ -0,0 +1,16 @@
+## Description
+
+## Type
+- [ ] Bug fix
+- [ ] Feature
+- [ ] Docs
+- [ ] Refactor
+
+## Testing
+- [ ] Tests pass (`make test`)
+- [ ] Manual testing
+
+## Checklist
+- [ ] Code follows style
+- [ ] Tests cover changes
+- [ ] CHANGELOG updated

SECURITY.md

@@ -0,0 +1,59 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | ✅ Yes (current)   |
+| < 0.1.0 | ❌ No              |
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a security vulnerability in Rune, please report it responsibly.
+
+### How to Report
+
+**Email:** security@v1truv1us.dev (or your preferred security contact)
+
+Please include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact assessment
+- Suggested fix (if any)
+
+### Response Timeline
+
+- **Acknowledgment:** Within 48 hours
+- **Initial assessment:** Within 7 days
+- **Fix timeline:** Target 90 days (or as negotiated for complex issues)
+- **Disclosure:** Coordinated disclosure 14 days after fix release
+
+### Security Considerations for Rune
+
+Rune executes user-defined commands from YAML configuration. Key security concerns:
+
+1. **Command Execution:** Rune runs shell commands defined in rituals. Ensure:
+   - Only trusted configuration sources
+   - Sandboxing where possible
+   - Audit logging enabled
+
+2. **Environment Variables:** Rune may handle sensitive tokens. Ensure:
+   - No logging of env vars with secrets
+   - OS keychain integration for credentials
+
+3. **Network Access:** Git integrations and updates require network. Ensure:
+   - HTTPS for all external calls
+   - Certificate validation
+
+### Disclosure Policy
+
+We follow coordinated disclosure:
+1. Reporter submits vulnerability
+2. We acknowledge and assess
+3. We develop and test fix
+4. We release fix and credit reporter (with permission)
+5. Public disclosure after grace period
+
+### Bug Bounty
+
+Rune does not currently offer a bug bounty program. We appreciate responsible disclosure and will credit researchers in our CHANGELOG.