Governance + CI/supply-chain hardening

.github/CODEOWNERS

@@ -0,0 +1,12 @@
+# Default owner for everything.
+* @miguelrisero
+
+# Build system, dev server, CI, and hub config need maintainer review —
+# these run code at build time and govern every template's behavior.
+/build.mjs @miguelrisero
+/build-node-functions.mjs @miguelrisero
+/dev.mjs @miguelrisero
+/dev-node-functions.mjs @miguelrisero
+/vercel.json @miguelrisero
+/externals.json @miguelrisero
+/.github/ @miguelrisero

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,30 @@
+---
+name: Bug report
+about: Something in the hub or build system isn't working
+title: "[bug] "
+labels: bug
+---
+
+**What happened**
+
+<!-- Clear description of the bug. -->
+
+**Steps to reproduce**
+
+1.
+2.
+3.
+
+**Expected vs actual**
+
+**Environment**
+
+- Node version:
+- OS:
+- Template/project (if specific):
+
+**Build output / logs**
+
+```
+<!-- paste relevant `npm run build` output -->
+```

.github/ISSUE_TEMPLATE/new_template.md

@@ -0,0 +1,23 @@
+---
+name: New template proposal
+about: Propose a new template to add under projects/
+title: "[template] "
+labels: template
+---
+
+**Template name (slug)**
+
+<!-- lowercase-with-hyphens; becomes the URL path -->
+
+**Type**
+
+<!-- static / vite / next / nuxt / nuxt-server / custom / node-functions -->
+
+**What it demonstrates**
+
+<!-- One or two sentences on what this template shows and why it's useful. -->
+
+**Dependencies / build command**
+
+<!-- Anything reviewers should know about install scripts, build steps, or
+     external services. Remember: no secrets, and it must build self-contained. -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,18 @@
+## What & why
+
+<!-- What does this PR add/change, and why? -->
+
+## Checklist
+
+- [ ] `npm run build` passes locally
+- [ ] New template (if any) lives under `projects/<slug>/` with a slug name
+      (`[a-z0-9-]`) and a committed lockfile
+- [ ] **No secrets / keys / real customer or internal data / private hostnames**
+      — in files or history (this repo is public + indexable)
+- [ ] Build command / install scripts are limited to what the template needs
+- [ ] Docs updated if behavior changed (README / CLAUDE.md)
+
+## Notes for reviewers
+
+<!-- Anything that touches build*.mjs, .github/**, vercel.json, or cron/functions
+     deserves a callout here. -->

.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+updates:
+  # Keep the SHA-pinned GitHub Actions current.
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: ci
+
+  # Hub dependencies (esbuild) + every template's package.json.
+  - package-ecosystem: npm
+    directories:
+      - "/"
+      - "/projects/*"
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: chore
+    open-pull-requests-limit: 10

.github/workflows/ci.yml

@@ -5,14 +5,28 @@ on:
     branches: [main]
   pull_request:
 
+# Least privilege: the build needs only to read the checkout. No write scopes,
+# so a compromised step or a malicious fork-PR build can't push, comment, or
+# touch other repo state with the GITHUB_TOKEN.
+permissions:
+  contents: read
+
+# Cancel superseded runs on the same ref so spammy PRs can't pile up runners.
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     name: Build & verify
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      # Actions pinned to full commit SHAs (not @v6 tags) so a tag re-point on
+      # the action's repo can't silently change what runs here. Dependabot
+      # (github-actions ecosystem) keeps these SHAs current.
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.3
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22
           cache: npm
@@ -46,5 +60,5 @@ jobs:
             done
           fi
 
-      - name: Build all prototypes
+      - name: Build all templates
         run: npm run build

CONTRIBUTING.md

@@ -0,0 +1,48 @@
+# Contributing
+
+Thanks for adding to **Runflow Templates**. Each folder under `projects/` is an
+independent template that builds and deploys with the rest of the hub.
+
+## Add a template
+
+1. Create a folder under `projects/<name>/`.
+   - `<name>` becomes the public URL path, so use a slug: **lowercase letters,
+     digits, and hyphens only** (`^[a-z0-9][a-z0-9-]*$`). The build skips
+     anything else.
+2. Add your files. If it needs a build step, include a `package.json` (and a
+   committed lockfile — see "Reproducible installs" below).
+3. Run `npm run build` from the repo root and confirm your template appears
+   under `.vercel/output/static/<name>/`.
+4. Open a PR. CI runs `npm run build`; it must pass.
+
+The build auto-detects the type (`static`, `vite`, `next`, `nuxt`,
+`nuxt-server`, `custom`, `node-functions`) — see the [README](README.md) for the
+detection table and `template.config.json` options.
+
+## Ground rules
+
+- **No secrets, ever.** No API keys, tokens, real customer/internal data,
+  private hostnames, or internal screenshots — in files *or* commit history.
+  This repo is public and indexable.
+- **Templates run code at build.** Your `package.json` scripts and any
+  `template.config.json` `buildCmd` execute in CI and on the deploy host. Keep
+  them to what your template needs; reviewers will scrutinize build commands.
+- **Reproducible installs.** Commit a lockfile (`package-lock.json` /
+  `pnpm-lock.yaml` / `bun.lockb`) so builds are deterministic.
+- **Keep it self-contained.** A template should build from its own folder with
+  no reach outside it.
+
+## Commit / PR norms
+
+- Small, focused commits with clear messages (Conventional Commits style:
+  `feat:`, `fix:`, `chore:`, `docs:`).
+- Fill out the PR template checklist.
+- Changes to `build*.mjs`, `dev*.mjs`, `.github/**`, `vercel.json`, or
+  `externals.json` require maintainer (CODEOWNERS) review.
+
+## Local development
+
+```bash
+npm install        # hub deps (esbuild)
+npm run dev        # build + serve at http://localhost:3000
+```

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Runflow
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

SECURITY.md

@@ -0,0 +1,30 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please **do not** open a public issue for security problems. Instead, use
+GitHub's private vulnerability reporting (the **Security → Report a
+vulnerability** tab on this repo) or email **security@runflow.io**.
+
+We aim to acknowledge reports within 3 business days.
+
+## Scope
+
+This repo is a **public template hosting hub**. The build orchestrator
+(`build.mjs` / `build-node-functions.mjs`) and the CI pipeline are in scope.
+Individual templates under `projects/` are examples — report issues in them too,
+but treat their dependencies as third-party.
+
+## Important notes for contributors
+
+- **Templates execute code at build time.** Adding a folder under `projects/`
+  means its `package.json` install scripts and build command run in CI and on
+  the deploy host. Only the maintainers listed in `CODEOWNERS` can approve
+  changes to build scripts and workflows.
+- **Never commit secrets.** Real credentials, API keys, private endpoints, or
+  internal hostnames must never appear in this public repo (including git
+  history). Use `.env` locally (it is gitignored) and your host's environment
+  settings in production. `CRON_SECRET` in `.env.example` is a placeholder.
+- The auto-generated landing page and every hosted template are **public and
+  indexable**. Do not put anything behind a "password" in client-side code and
+  assume it is protected — it is not. Gate sensitive surfaces server-side.