chore: add open-source contribution governance

.editorconfig

@@ -0,0 +1,15 @@
+# EditorConfig — https://editorconfig.org
+# Keep editors aligned with the Prettier config (.prettierrc).
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# Markdown uses two trailing spaces for hard line breaks — don't strip them.
+[*.md]
+trim_trailing_whitespace = false

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,63 @@
+name: Bug report
+description: Report a problem with the dcd CLI or dcd-mcp server
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug! Please fill in the details below.
+
+        ⚠️ **Do not report security vulnerabilities here** — see our
+        [Security Policy](https://github.com/devicecloud-dev/dcd-cli/blob/dev/SECURITY.md).
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear description of the bug, including what you expected to happen instead.
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      description: The exact `dcd` command(s) you ran and what followed. Redact any API keys.
+      placeholder: |
+        1. Run `dcd cloud --apiKey *** app.apk flows/`
+        2. ...
+        3. See error
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: CLI version
+      description: Output of `dcd --version`.
+      placeholder: "e.g. 5.0.0"
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating system
+      options:
+        - macOS
+        - Linux
+        - Windows
+        - Other (note in description)
+    validations:
+      required: true
+  - type: input
+    id: install
+    attributes:
+      label: How did you install dcd?
+      placeholder: "binary (curl/irm), npm global, npx, …"
+    validations:
+      required: false
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / output
+      description: Relevant output. Re-run with more detail if you can. This is automatically formatted as code.
+      render: shell
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Questions & help
+    url: https://discord.gg/gm3mJwcNw8
+    about: For usage questions and general help, ask in our Discord rather than opening an issue.
+  - name: Documentation
+    url: https://docs.devicecloud.dev
+    about: Check the docs for installation, usage, and command reference.
+  - name: Report a security vulnerability
+    url: https://github.com/devicecloud-dev/dcd-cli/blob/dev/SECURITY.md
+    about: Do not file security issues publicly — email security@devicecloud.dev (see our Security Policy).

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,35 @@
+name: Feature request
+description: Suggest an idea or improvement for the dcd CLI or dcd-mcp server
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: Thanks for the suggestion! Please describe the problem before the solution.
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve?
+      description: What are you trying to do, and where does the CLI get in the way today?
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: What would you like to happen? A concrete command/flag/output sketch helps.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other approaches or workarounds you've thought about.
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Anything else — links, screenshots, related issues.
+    validations:
+      required: false

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,36 @@
+<!--
+  PR TITLE: must follow Conventional Commits — it becomes the squash-merge
+  commit and feeds release-please. e.g.  feat(cloud): add --json output
+  Allowed types: feat, fix, perf, deps, revert, refactor, docs, chore, test, ci, build, style
+  See CONTRIBUTING.md for details.
+-->
+
+## What & why
+
+<!-- What does this change do, and why? Link any related issue: Closes #123 -->
+
+## Type of change
+
+<!-- Match this to your PR title's type. -->
+
+- [ ] `fix` — bug fix
+- [ ] `feat` — new feature
+- [ ] `perf` — performance improvement
+- [ ] `refactor` — code change that's neither a fix nor a feature
+- [ ] `docs` — documentation only
+- [ ] `chore` / `ci` / `build` / `test` — tooling, no user-facing change
+- [ ] Breaking change (title has `!` or PR notes a `BREAKING CHANGE:`)
+
+## Checklist
+
+- [ ] PR title follows the Conventional Commits format (see comment above)
+- [ ] `pnpm lint` passes
+- [ ] `pnpm typecheck` passes
+- [ ] `pnpm build` passes
+- [ ] I have **not** bumped the version or edited `CHANGELOG.md` (release-please handles this)
+- [ ] I have signed the CLA (the bot will prompt on first contribution)
+- [ ] Docs / `README.md` / `STYLE_GUIDE.md` updated if behaviour or output changed
+
+## How to test
+
+<!-- Steps a reviewer can follow to verify the change. -->

.github/dependabot.yml

@@ -0,0 +1,34 @@
+version: 2
+updates:
+  # npm / pnpm dependencies.
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+    target-branch: dev
+    open-pull-requests-limit: 10
+    commit-message:
+      # Conventional Commit prefix so the squashed PR title matches our PR-title
+      # lint and release-please picks dependency bumps into the changelog.
+      prefix: deps
+      prefix-development: chore
+    groups:
+      # Collapse the noise: one PR for all non-major updates.
+      minor-and-patch:
+        update-types:
+          - minor
+          - patch
+
+  # GitHub Actions used by our workflows.
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    target-branch: dev
+    commit-message:
+      prefix: ci
+    groups:
+      actions:
+        update-types:
+          - minor
+          - patch

.github/workflows/cla.yml

@@ -0,0 +1,49 @@
+name: CLA Assistant
+
+# Gates merges on a signed Contributor License Agreement.
+#
+# Uses CLA Assistant Lite (contributor-assistant/github-action): signatures are
+# stored as a JSON file committed to a branch of THIS repo (no third-party
+# service holds the data). Contributors sign by commenting the configured phrase
+# on their PR; the action records it and flips the check green.
+#
+# SETUP REQUIRED before this can work:
+#   1. Create a token with repo write access and add it as the `PERSONAL_ACCESS_TOKEN`
+#      secret (a fine-grained PAT or the release GitHub App token both work). The
+#      default GITHUB_TOKEN is also passed, but a PAT is needed to commit the
+#      signature file back to the repo.
+#   2. Create the `cla-signatures` branch (e.g. an empty orphan branch) so the
+#      action has somewhere to write `signatures/version1/cla.json`.
+#   3. Finalise CLA.md (legal review) — it's the document contributors agree to.
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+  statuses: write
+
+jobs:
+  cla:
+    runs-on: ubuntu-latest
+    # Only act on the signature comment or on PR events (not every comment).
+    if: (github.event.issue.pull_request && contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target'
+    steps:
+      - uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+        with:
+          path-to-signatures: "signatures/version1/cla.json"
+          path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md"
+          branch: "cla-signatures"
+          # PR target branches the CLA applies to.
+          allowlist: dependabot[bot],renovate[bot],*[bot]
+          # Customise the bot's prompts if desired:
+          custom-notsigned-prompt: "Thanks for your contribution! Please sign our Contributor License Agreement before we can merge. Comment the line below to sign:"
+          custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
+          custom-allsigned-prompt: "All contributors have signed the CLA. ✍️ ✅"

.github/workflows/cli-ci.yml

@@ -2,9 +2,11 @@ name: CLI CI
 
 on:
   push:
-    branches: [ dev ]
+    branches: [ dev, production ]
   pull_request:
-    branches: [ dev ]
+    # `production` is included so the dev→production promotion PR is also gated
+    # by lint/typecheck/build (and is required by the production ruleset).
+    branches: [ dev, production ]
   workflow_dispatch:
 
 permissions:

.github/workflows/pr-title-lint.yml

@@ -0,0 +1,43 @@
+name: PR Title
+
+# Enforces Conventional Commits on the PR *title*. Because PRs are squash-merged
+# with the title as the commit subject, this is what release-please parses to
+# compute version bumps and the changelog — so the allowed types below must stay
+# in sync with `changelog-sections` in release-please-config.json.
+#
+# Uses pull_request_target so it also runs (and reports a required status check)
+# on PRs from forks. It only reads the title — no untrusted code is checked out.
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+permissions:
+  pull-requests: read
+
+jobs:
+  validate:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Keep in lockstep with release-please-config.json changelog-sections.
+          types: |
+            feat
+            fix
+            perf
+            deps
+            revert
+            refactor
+            docs
+            chore
+            test
+            ci
+            build
+            style

.github/workflows/release-please.yml

@@ -22,31 +22,54 @@ jobs:
   release-please-prod:
     if: github.ref_name == 'production'
     runs-on: ubuntu-latest
+    # Empty until the release GitHub App secrets are configured. We use an App
+    # token (not GITHUB_TOKEN) so the Release PR triggers CI / PR-title / CLA
+    # checks — PRs opened by GITHUB_TOKEN do not, which would deadlock branch
+    # protection. Falls back to GITHUB_TOKEN (today's behaviour) until the App
+    # is set up, so this is safe to merge before then.
+    env:
+      RELEASE_PLEASE_APP_ID: ${{ secrets.RELEASE_PLEASE_APP_ID }}
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
       version: ${{ steps.release.outputs.version }}
     steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        if: env.RELEASE_PLEASE_APP_ID != ''
+        with:
+          app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
       - uses: googleapis/release-please-action@v4
         id: release
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
           target-branch: production
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json
 
   release-please-beta:
     if: github.ref_name == 'dev'
     runs-on: ubuntu-latest
+    # See release-please-prod above for why this uses an App token with a
+    # GITHUB_TOKEN fallback.
+    env:
+      RELEASE_PLEASE_APP_ID: ${{ secrets.RELEASE_PLEASE_APP_ID }}
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
       version: ${{ steps.release.outputs.version }}
     steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        if: env.RELEASE_PLEASE_APP_ID != ''
+        with:
+          app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
       - uses: googleapis/release-please-action@v4
         id: release
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
           target-branch: dev
           config-file: release-please-config-beta.json
           manifest-file: .release-please-manifest-beta.json