repo: add SECURITY, LICENSE (if missing), editorconfig/gitattributes;…

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+[*.rs]
+indent_size = 4
+
+[Makefile]
+indent_style = tab

.gitattributes

@@ -1,5 +1,14 @@
-*.rs   text eol=lf
-*.toml text eol=lf
-*.sh   text eol=lf
-*.md   text eol=lf
-* text=auto
+* text=auto eol=lf
+
+# Linguist hints
+*.rs linguist-language=Rust
+*.yml linguist-language=YAML
+*.yaml linguist-language=YAML
+*.sh linguist-language=Shell
+*.md linguist-documentation
+
+# Export ignores
+/.github export-ignore
+/.gitignore export-ignore
+/.editorconfig export-ignore
+/.gitattributes export-ignore

.github/labeler.yml

@@ -0,0 +1,15 @@
+kind/feat:
+  - changed-files:
+      - any-glob-to-any-file: ['src/**', 'crates/**']
+kind/fix:
+  - changed-files:
+      - any-glob-to-any-file: ['src/**', 'crates/**']
+docs:
+  - changed-files:
+      - any-glob-to-any-file: ['**/*.md', 'docs/**']
+ops:
+  - changed-files:
+      - any-glob-to-any-file: ['deploy/**', 'scripts/**', '.github/**']
+chore:
+  - changed-files:
+      - any-glob-to-any-file: ['**']

.github/release-drafter.yml

@@ -0,0 +1,18 @@
+name-template: 'Release $NEXT_PATCH_VERSION'
+tag-template: 'v$NEXT_PATCH_VERSION'
+change-template: '- $TITLE (#$NUMBER) @$AUTHOR'
+categories:
+  - title: '🚀 Features'
+    labels: ['kind/feat', 'feature']
+  - title: '🐛 Fixes'
+    labels: ['kind/fix', 'bugfix', 'bug']
+  - title: '🧰 Maintenance'
+    labels: ['chore', 'dependencies', 'ops']
+  - title: '📝 Docs'
+    labels: ['docs']
+template: |
+  ## Changes
+  $CHANGES
+
+  ## SBOM
+  - See attached `sbom.cdx.json` on the release (if available).

.github/workflows/auto-merge-deps.yml

@@ -0,0 +1,28 @@
+name: auto-merge-deps
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, labeled, edited]
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  automerge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dependabot/fetch-metadata@v2
+        id: meta
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge (squash) if labeled 'dependencies'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          set -euxo pipefail
+          LABELS="${{ join(github.event.pull_request.labels.*.name, ',') }}"
+          if echo ",$LABELS," | grep -qi ",dependencies,"; then
+            gh pr merge "${PR_URL}" --squash --auto
+          else
+            echo "dependencies label missing; skipping auto-merge."
+          fi

.github/workflows/pr-labeler.yml

@@ -0,0 +1,15 @@
+name: pr-labeler
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review, edited]
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v5
+        with:
+          configuration-path: .github/labeler.yml
+          sync-labels: true

.github/workflows/pre-commit.yml

@@ -0,0 +1,29 @@
+name: pre-commit
+on:
+  pull_request:
+    branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+    paths:
+      - ".pre-commit-config.yaml"
+      - "**/*.sh"
+      - "Dockerfile"
+      - "**/Dockerfile"
+      - "**/*.y*ml"
+      - "**/*.json"
+      - "**/*.toml"
+  workflow_dispatch: {}
+permissions:
+  contents: read
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+      - name: Install pre-commit
+        run: pipx install pre-commit
+      - name: Run pre-commit
+        run: pre-commit run --all-files

.github/workflows/release-drafter.yml

@@ -0,0 +1,18 @@
+name: release-drafter
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    types: [opened, reopened, synchronize, labeled, unlabeled, closed]
+  workflow_dispatch: {}
+permissions:
+  contents: write
+jobs:
+  update_release_draft:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter@v6
+        with:
+          config-name: release-drafter.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.pre-commit-config.yaml

@@ -0,0 +1,19 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-yaml
+      - id: check-json
+      - id: check-toml
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        files: \.(sh)$
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint
+        files: (^|.*/)(Dockerfile)$|(^|.*/).*Dockerfile$

README.md

@@ -1,4 +1,12 @@
 <p align="center">
+
+[![pre-commit](https://github.com/SativusCrocus/TIN/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/SativusCrocus/TIN/actions/workflows/pre-commit.yml)
+
+[![auto-merge-deps](https://github.com/SativusCrocus/TIN/actions/workflows/auto-merge-deps.yml/badge.svg)](https://github.com/SativusCrocus/TIN/actions/workflows/auto-merge-deps.yml)
+
+[![pr-labeler](https://github.com/SativusCrocus/TIN/actions/workflows/pr-labeler.yml/badge.svg)](https://github.com/SativusCrocus/TIN/actions/workflows/pr-labeler.yml)
+
+[![release-drafter](https://github.com/SativusCrocus/TIN/actions/workflows/release-drafter.yml/badge.svg)](https://github.com/SativusCrocus/TIN/actions/workflows/release-drafter.yml)
   <img src="https://dummyimage.com/800x180/0b0b0b/ffffff&text=T I N — Temporal+Integrity+Network" />
 </p>
 

SECURITY.md

@@ -0,0 +1,10 @@
+# Security Policy
+
+## Supported Versions
+Security fixes are applied to the latest `main` branch and the most recent release.
+
+## Reporting a Vulnerability
+Please create a **private** report via GitHub **Security Advisories**:
+- Repo → **Security** → **Advisories** → **Report a vulnerability**
+
+Alternatively, email repository admins via their GitHub profile contact. We will acknowledge receipt within 72 hours and coordinate a fix and disclosure timeline.