chore: add community health files and repo metadata

Michael van den Berg · claude · Michael van den Berg · commit 638de2b05bf8 · 2026-03-10T20:58:44.000+01:00
- LICENSE (MIT)
- CONTRIBUTING.md — dev setup, test and style workflow
- SECURITY.md — private disclosure process, scope, design notes
- CODE_OF_CONDUCT.md — Contributor Covenant v2.1
- .github/ISSUE_TEMPLATE/{bug_report,feature_request}.md
- .github/pull_request_template.md

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,28 @@
+---
+name: Bug report
+about: Something is broken
+labels: bug
+---
+
+## Describe the bug
+A clear description of what the bug is.
+
+## To reproduce
+Steps to reproduce the behaviour:
+1. ...
+2. ...
+
+## Expected behaviour
+What you expected to happen.
+
+## Environment
+- OS:
+- Docker version (`docker --version`):
+- GPU / VRAM:
+- `EMBEDDING_MODEL`:
+- `EMBEDDING_DEVICE`:
+
+## Logs
+```
+# paste relevant output from: docker compose logs
+```
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea or improvement
+labels: enhancement
+---
+
+## Problem / motivation
+What problem does this feature solve? Who benefits from it?
+
+## Proposed solution
+Describe what you'd like to happen.
+
+## Alternatives considered
+Any alternative approaches you've thought about.
+
+## Additional context
+Links, references, or screenshots that might help.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,20 @@
+## Summary
+<!-- What does this PR do? 1-3 bullet points. -->
+-
+
+## Type of change
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Refactor / cleanup
+- [ ] Docs / config only
+
+## Test plan
+<!-- How was this tested? -->
+- [ ] `pytest` passes locally
+- [ ] Tested against a running `docker compose up` stack
+- [ ] New tests added for new behaviour
+
+## Checklist
+- [ ] `ruff check` and `ruff format` pass
+- [ ] No secrets or personal data included
+- [ ] `docker-compose.override.yml` changes go in the `.example` file only
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,56 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, colour, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behaviour that contributes to a positive environment:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologising to those affected by our mistakes
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behaviour:
+
+* The use of sexualised language or imagery, and sexual attention or advances
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Project maintainers are responsible for clarifying and enforcing our standards
+and will take appropriate and fair corrective action in response to any
+behaviour they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behaviour may be
+reported to the project maintainer via GitHub's private
+[Security Advisories](https://github.com/M-vdBerg/GraphRAG/security/advisories/new).
+All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the
+[Contributor Covenant](https://www.contributor-covenant.org), version 2.1.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,70 @@
+# Contributing to GraphRAG
+
+Thank you for your interest in contributing! This document covers how to get
+started, the development workflow, and what to expect from the review process.
+
+## Getting started
+
+1. Fork the repository and clone your fork
+2. Copy `.env.example` to `.env` and fill in values
+3. Copy `docker-compose.override.yml.example` to `docker-compose.override.yml`
+4. Install dev dependencies:
+   ```bash
+   pip install -e ".[dev]"
+   ```
+5. Start the stack:
+   ```bash
+   docker compose up postgres   # just the DB is enough for most work
+   ```
+
+## Running tests
+
+```bash
+pytest
+```
+
+The test suite does not require a running database — DB-dependent tests are
+integration tests and are skipped unless `POSTGRES_PASSWORD` is set and the
+database is reachable.
+
+## Code style
+
+This project uses [Ruff](https://docs.astral.sh/ruff/) for linting and
+formatting.
+
+```bash
+ruff check src/ tests/
+ruff format src/ tests/
+```
+
+Type annotations are checked with mypy:
+
+```bash
+mypy src/
+```
+
+CI enforces both on every pull request.
+
+## Submitting changes
+
+1. Create a branch from `main`: `git checkout -b feat/my-feature`
+2. Make your changes, add tests where appropriate
+3. Run the linter and tests locally before pushing
+4. Open a pull request against `main` — fill in the PR template
+5. A maintainer will review and merge or request changes
+
+## Reporting bugs
+
+Please use the [bug report issue template](.github/ISSUE_TEMPLATE/bug_report.md).
+Include the output of `docker compose logs` and your environment details.
+
+## Suggesting features
+
+Open a [feature request](.github/ISSUE_TEMPLATE/feature_request.md) and
+describe the use case before starting implementation work. This avoids effort
+on changes that may not align with the project direction.
+
+## Code of Conduct
+
+This project follows the [Contributor Covenant](CODE_OF_CONDUCT.md).
+Please be respectful and constructive in all interactions.
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Michael van den Berg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,46 @@
+# Security Policy
+
+## Supported versions
+
+| Version | Supported |
+|---------|-----------|
+| `main`  | ✅ Latest commit |
+| Older tags | ❌ No backports |
+
+## Reporting a vulnerability
+
+**Please do not open a public GitHub issue for security vulnerabilities.**
+
+Report security issues privately via GitHub's
+[Security Advisories](https://github.com/M-vdBerg/GraphRAG/security/advisories/new)
+feature (Repository → Security → Advisories → New draft advisory).
+
+Include:
+- A description of the vulnerability and its potential impact
+- Steps to reproduce or a proof-of-concept
+- Any suggested mitigations you are aware of
+
+You can expect an acknowledgement within **72 hours** and a resolution
+timeline within **14 days** for critical issues.
+
+## Scope
+
+Issues in scope:
+- SQL / Cypher injection via MCP tool inputs
+- Authentication or authorisation bypasses in the MCP server
+- Container escape or privilege escalation via the Docker setup
+- Credential leakage (e.g. secrets ending up in logs or image layers)
+
+Out of scope:
+- Vulnerabilities in upstream dependencies (report those to the respective
+  project maintainers)
+- Issues that require physical access to the host machine
+
+## Security design notes
+
+- All containers run as a non-root user (`appuser`, UID 1001)
+- No secrets are committed to the repository — credentials are loaded
+  exclusively from environment variables / `.env` (gitignored)
+- The `internal` Docker network isolates PostgreSQL and the watcher from
+  external access; only the MCP server is on the `external` network
+- MCP tool inputs are validated via Pydantic before reaching the database
