docs(public): publish canonical storefront

Author: xiaojiou176

AGENTS.md

@@ -0,0 +1,30 @@
+# Code of Conduct
+
+## Our Pledge
+
+We want this repository to be a respectful, low-drama place for engineering
+discussion, bug reports, documentation fixes, and scoped contributions.
+
+## Expected Behavior
+
+- Be respectful and specific.
+- Prefer evidence over heat.
+- Assume good intent, but do not hide concrete risks.
+- Keep criticism focused on code, behavior, contracts, or documentation.
+
+## Unacceptable Behavior
+
+- Harassment, abuse, or personal attacks
+- Discriminatory language
+- Publishing private information without permission
+- Repeated bad-faith disruption of issue or review threads
+
+## Enforcement
+
+Maintainers may remove comments, close threads, or block participation when
+behavior makes the repository unsafe or unproductive.
+
+## Scope
+
+This Code of Conduct applies to repository issues, pull requests, discussions,
+and other project communication channels.

CHANGELOG.md

@@ -0,0 +1,41 @@
+# Contributing
+
+Thank you for considering a contribution to CortexPilot.
+
+## Good Contributions
+
+- reproducible bug fixes
+- documentation improvements
+- targeted tests
+- narrowly scoped feature work with a clear problem statement
+
+## Please Avoid
+
+- large refactors mixed with behavior changes
+- drive-by formatting-only pull requests
+- compatibility shims without a removal plan
+- policy or license changes without maintainer alignment
+
+## Before You Open A Pull Request
+
+1. Read [README.md](README.md).
+2. Read [docs/README.md](docs/README.md).
+3. Read the nearest module guide if you touch `apps/orchestrator`, `apps/dashboard`, or `apps/desktop`.
+4. Run the relevant verification commands locally.
+
+## Required Standards
+
+- keep changes scoped to one main purpose
+- update tests when behavior changes
+- update docs when commands, APIs, or public behavior change
+- do not commit runtime output, logs, local secrets, or generated noise
+- prefer minimal, auditable diffs over broad rewrites
+
+## Pull Request Checklist
+
+- explain what changed and why
+- list exact verification commands you ran
+- call out unresolved risks
+- update documentation when needed
+
+See [`.github/pull_request_template.md`](.github/pull_request_template.md) for the expected format.

CLAUDE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Yifeng (Terry) Yu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

CODE_OF_CONDUCT.md

@@ -0,0 +1,25 @@
+# Privacy Notes
+
+CortexPilot is source code, not a hosted service.
+
+## Default Local Behavior
+
+Unless you explicitly configure external integrations, expected runtime output
+stays local:
+
+- logs under `.runtime-cache/logs/`
+- test and governance artifacts under `.runtime-cache/test_output/`
+- runtime-generated contracts under `.runtime-cache/cortexpilot/contracts/`
+
+## Sensitive Data Rules
+
+- do not commit real credentials or local `.env` files
+- do not commit runtime traces, screenshots, or evidence bundles containing
+  private data
+- redact tokens, cookies, and personal data before sharing logs or screenshots
+
+## Optional Integrations
+
+Some workflows can be connected to external telemetry or tracing providers. If
+you enable them in your own environment, you are responsible for reviewing the
+provider terms and your own data-handling obligations.

CONTRIBUTING.md

@@ -0,0 +1,51 @@
+# Security Policy
+
+## Reporting A Vulnerability
+
+- Do not open a public issue or pull request for a suspected security problem.
+- Current live private reporting path: the public repository
+  `xiaojiou176-open/CortexPilot-public` has GitHub private vulnerability
+  reporting enabled. Submit reports through the advisory form at
+  `https://github.com/xiaojiou176-open/CortexPilot-public/security/advisories/new`.
+- If that form is unavailable, do not disclose details publicly. This
+  repository still does not publish a second verified fallback private
+  reporting channel, so none should be assumed by reporters.
+- Maintainer follow-up tail: before calling the security reporting surface
+  fully closed, publish or verify a non-public fallback path outside public
+  issues and pull requests.
+- Wait for maintainer acknowledgement through the advisory flow before sharing
+  any details publicly.
+
+## In Scope
+
+Please report issues involving:
+
+- credential handling or secret exposure
+- authorization, approval, or replay surfaces
+- browser profile, cookie, or automation isolation
+- telemetry, evidence, and log redaction
+- CI, release, or supply-chain integrity
+
+## What To Include
+
+- affected path or feature
+- reproduction steps
+- expected and actual behavior
+- impact assessment
+- any temporary mitigation you tested
+
+## What Not To Include
+
+- real secrets, cookies, tokens, or private data
+- exploit details in public channels
+- large unrelated refactors mixed with a security report
+
+## Response Expectations
+
+- security reports are triaged on a best-effort basis
+- no SLA or bounty program is promised
+- coordinated disclosure is preferred
+- branch protection and other GitHub security controls should be treated as
+  separate governance checks; they do not replace the private reporting path
+
+Thank you for helping keep CortexPilot safer for contributors and users.

LICENSE

@@ -0,0 +1,40 @@
+# Support
+
+## What To Use GitHub For
+
+- bug reports with clear reproduction steps
+- documentation fixes
+- narrowly scoped feature proposals
+- questions about repository behavior after you have checked the README and docs
+
+## What To Include
+
+- exact command(s) you ran
+- exact file path(s) involved
+- expected result
+- actual result
+- relevant logs or screenshots with secrets removed
+
+## What Is Out Of Scope
+
+- private support for custom forks or deployments
+- consulting or paid implementation work
+- guaranteed response times
+- hosted-service style support expectations
+- Linux/BSD or Windows desktop runtime support; the current public desktop
+  support boundary is macOS-only and non-macOS desktop paths are unsupported
+
+## Security Reports
+
+For vulnerabilities, do not open a public issue. Follow
+[SECURITY.md](SECURITY.md) and use the documented GitHub advisory form private
+path there first on the live public repository. An additional verified fallback
+private reporting channel is still not published in the repository docs and
+should not be assumed by reporters. If maintainers want a fully closed public
+security surface, that fallback must be published or verified separately.
+
+## Before Filing An Issue
+
+1. Read [README.md](README.md).
+2. Read [docs/README.md](docs/README.md).
+3. Search existing issues and pull requests.