Add open source contribution infrastructure

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,34 @@
+---
+name: Bug Report
+about: Report a bug to help us improve
+title: ''
+labels: bug
+assignees: ''
+---
+
+## Describe the Bug
+
+A clear description of what the bug is.
+
+## Steps to Reproduce
+
+1. Go to '...'
+2. Click on '...'
+3. See error
+
+## Expected Behavior
+
+What you expected to happen.
+
+## Screenshots
+
+If applicable, add screenshots.
+
+## Environment
+
+- OS: [e.g., macOS 14.0, Windows 11, Ubuntu 22.04]
+- AgentLoom Version: [e.g., 0.1.0]
+
+## Additional Context
+
+Any other context about the problem.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,23 @@
+---
+name: Feature Request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+---
+
+## Problem Statement
+
+A clear description of the problem you're trying to solve.
+
+## Proposed Solution
+
+Describe the solution you'd like.
+
+## Alternatives Considered
+
+Any alternative solutions or features you've considered.
+
+## Additional Context
+
+Any other context or screenshots about the feature request.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,22 @@
+## Summary
+
+Brief description of changes.
+
+## Changes
+
+- Change 1
+- Change 2
+
+## Testing
+
+- [ ] Tests pass (`cargo test`)
+- [ ] Linting passes (`cargo clippy`)
+- [ ] Formatting checked (`cargo fmt --check`)
+
+## Screenshots
+
+If applicable, add screenshots.
+
+## Related Issues
+
+Closes #

.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy, rustfmt
+
+      - name: Install Linux dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: libgtk-3-dev libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+          version: 1.0
+
+      - name: Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+
+      - name: Run clippy
+        run: cargo clippy -p agentloom-core -p agentloom-cli --all-targets -- -D warnings
+
+      - name: Run tests
+        run: cargo test -p agentloom-core -p agentloom-cli

AGENTS.md

@@ -104,14 +104,24 @@ grep -r "Reflection Loop" agents/reference/
 - Custom commit scripts -> Use instead of `/commit`
 - Custom PR scripts -> Use instead of `/commit-push-pr`
 
-## Git Workflow
+## Git Workflow (Open Source)
 
-**Push directly to main. Do not create pull requests.**
+**Read `CONTRIBUTING.md` for the full contribution guide.**
 
-When asked to commit and push:
-1. Commit changes on the current branch (main)
-2. Push directly to `origin main`
-3. Do NOT create feature branches or PRs
+This is an open source project. Always use feature branches and pull requests:
+
+1. Create a feature branch: `git checkout -b feature/short-description` or `fix/short-description`
+2. Make changes and commit with descriptive messages
+3. Push to origin: `git push -u origin feature/short-description`
+4. Open a Pull Request against `main`
+5. Ensure CI checks pass before merging
+
+### Branch Naming Convention
+
+- `feature/` - New features
+- `fix/` - Bug fixes
+- `docs/` - Documentation updates
+- `refactor/` - Code refactoring
 
 ### Installing Plugins
 

CODE_OF_CONDUCT.md

@@ -0,0 +1,29 @@
+# Code of Conduct
+
+## Our Pledge
+
+We are committed to making participation in this project a welcoming experience for everyone.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+
+Examples of unacceptable behavior:
+
+- Trolling, insulting comments, or personal attacks
+- Public or private harassment
+- Publishing others' private information without permission
+- Other conduct which could reasonably be considered inappropriate
+
+## Enforcement
+
+Instances of unacceptable behavior may be reported to the project maintainers. All complaints will be reviewed and investigated.
+
+## Attribution
+
+This Code of Conduct is adapted from the Contributor Covenant, version 2.1.

CONTRIBUTING.md

@@ -0,0 +1,77 @@
+# Contributing to AgentLoom
+
+Thank you for your interest in contributing to AgentLoom!
+
+## Getting Started
+
+1. Fork the repository
+2. Clone your fork locally
+3. Install dependencies: `npm install`
+4. Build: `cargo build`
+5. Run tests: `cargo test`
+
+## Development Workflow
+
+### Branch Naming
+
+Create a branch from `main` using this naming convention:
+
+- `feature/short-description` - New features
+- `fix/short-description` - Bug fixes
+- `docs/short-description` - Documentation updates
+- `refactor/short-description` - Code refactoring
+
+### Making Changes
+
+1. Create a feature branch: `git checkout -b feature/your-feature`
+2. Make your changes
+3. Run tests: `cargo test`
+4. Run linting: `cargo clippy`
+5. Format code: `cargo fmt`
+6. Commit with a descriptive message
+7. Push to your fork
+8. Open a Pull Request against `main`
+
+### Commit Messages
+
+Use clear, descriptive commit messages:
+
+- `feat: add skill validation for frontmatter`
+- `fix: resolve symlink creation on Windows`
+- `docs: update installation instructions`
+- `refactor: simplify skill sync logic`
+
+### Pull Request Process
+
+1. Ensure all CI checks pass
+2. Update documentation if needed
+3. Add tests for new functionality
+4. Request review from maintainers
+
+## Code Style
+
+- **Rust**: Follow standard Rust conventions, use `cargo fmt`
+- **TypeScript/Svelte**: Use Prettier formatting
+- **Comments**: Explain *why*, not *what*
+
+## Testing
+
+- Run all tests: `cargo test`
+- Run specific crate tests: `cargo test -p agentloom-core`
+- Add tests for new features and bug fixes
+
+## Project Structure
+
+```
+agent-loom/
+├── crates/
+│   ├── talent-core/     # Core library (agentloom-core)
+│   └── talent-cli/      # CLI application
+├── src-tauri/           # Tauri backend
+├── src/                 # Svelte frontend
+└── agents/              # Agent specifications
+```
+
+## Questions?
+
+Open an issue for questions or discussion.

SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in AgentLoom, please report it responsibly.
+
+**Do NOT open a public issue for security vulnerabilities.**
+
+Instead, please email the maintainers directly or use GitHub's private vulnerability reporting feature.
+
+### What to Include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Initial Assessment**: Within 1 week
+- **Resolution**: Depends on severity
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.x.x   | Yes (current)      |
+
+## Security Considerations
+
+AgentLoom manages symlinks and file system operations. Key security areas:
+
+- **Symlink handling**: Prevents symlink attacks and path traversal
+- **File permissions**: Respects system file permissions
+- **No network access**: Core functionality is entirely local
+
+## Best Practices for Users
+
+- Keep AgentLoom updated to the latest version
+- Review skills before installing from untrusted sources
+- Use standard OS security practices

crates/talent-cli/src/main.rs

@@ -2,11 +2,11 @@
 //!
 //! Command-line interface for managing skills across AI CLI tools.
 
-use clap::Parser;
 use agentloom_core::{
     Config, ConflictResolution, ImportSelection, Importer, SkillManager, SyncResult,
     ValidationStatus,
 };
+use clap::Parser;
 
 #[derive(Parser)]
 #[command(name = "agentloom")]

crates/talent-core/src/importer.rs

@@ -217,9 +217,7 @@ impl Importer {
                     let target_canonical = if target.is_absolute() {
                         target
                     } else {
-                        path.parent()
-                            .map(|p| p.join(&target))
-                            .unwrap_or(target)
+                        path.parent().map(|p| p.join(&target)).unwrap_or(target)
                     };
 
                     // Check if the target is under our skills directory
@@ -289,10 +287,9 @@ impl Importer {
             if entry_path.file_name().is_some_and(|n| n == SKILL_FILE_NAME) {
                 if let Some(skill_dir) = entry_path.parent() {
                     // Skip if this is inside our own skills directory
-                    if let (Ok(skill_abs), Ok(talent_abs)) = (
-                        skill_dir.canonicalize(),
-                        self.skills_dir.canonicalize(),
-                    ) {
+                    if let (Ok(skill_abs), Ok(talent_abs)) =
+                        (skill_dir.canonicalize(), self.skills_dir.canonicalize())
+                    {
                         if skill_abs.starts_with(&talent_abs) {
                             continue;
                         }
@@ -320,8 +317,7 @@ impl Importer {
 
         // Extract frontmatter for normalization check
         let trimmed = contents.trim_start();
-        let (yaml_content, _body) = if trimmed.starts_with("---") {
-            let after_first = &trimmed[3..];
+        let (yaml_content, _body) = if let Some(after_first) = trimmed.strip_prefix("---") {
             match after_first.find("\n---") {
                 Some(end_idx) => (
                     after_first[..end_idx].trim().to_string(),
@@ -965,7 +961,10 @@ description: A skill with non-kebab name
 
         // Skill should be copied to talent
         assert!(talent_skills.join("my-skill").exists());
-        assert!(talent_skills.join("my-skill").join(SKILL_FILE_NAME).exists());
+        assert!(talent_skills
+            .join("my-skill")
+            .join(SKILL_FILE_NAME)
+            .exists());
 
         // Source should NOT be removed (unlike regular import)
         assert!(source_path.exists());