setup: add community files, dependabot, and npm security config

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,73 @@
+name: Bug report
+description: Something is not working as expected
+labels: ["bug", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Before filing a bug, check whether it has already been reported in [existing issues](https://github.com/ratifydata/ratify/issues).
+
+        The more specific you are, the faster we can reproduce and fix the problem.
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened
+      description: A clear description of the bug. What did you do, what did you expect, and what actually happened?
+      placeholder: |
+        I ran `ratify contract activate <id>` and expected the contract status to change to "active".
+        Instead, the CLI exited with error: "failed to connect to database: connection refused".
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: The exact steps needed to reproduce the bug. Be as specific as possible.
+      placeholder: |
+        1. Start the server with `docker compose up`
+        2. Create a contract with `ratify contract create`
+        3. Run `ratify contract activate <id>`
+        4. See error
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behaviour
+      description: What should have happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment
+      description: Fill in the details for your setup.
+      value: |
+        - Ratify version (or commit hash):
+        - Go version (`go version`):
+        - OS:
+        - PostgreSQL version:
+        - Deployment method (docker compose / binary):
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs or error output
+      description: Paste any relevant log output here. The server logs structured JSON — the full log line is more useful than just the message.
+      render: shell
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Before submitting
+      options:
+        - label: I have searched existing issues and this has not been reported before
+          required: true
+        - label: I am running the latest version of Ratify
+          required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Discord - quick questions
+    url: https://discord.gg/RVU3cdRs9z
+    about: For quick questions, Discord is faster than a GitHub issue.
+  - name: Security vulnerability
+    url: https://github.com/ratifydata/ratify/security/advisories/new
+    about: Report security vulnerabilities privately using GitHub's advisory system.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,69 @@
+name: Feature request
+description: Suggest something new or an improvement to existing behaviour
+labels: ["enhancement", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Feature requests are most useful when they are grounded in a real problem.
+        "It would be cool if..." requests are harder to act on than "I keep running into this situation and here is what I need."
+
+        If you are not sure whether something is worth requesting, bring it up in [Discord](https://discord.gg/RVU3cdRs9z) first.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you running into
+      description: Describe the situation that prompted this request. What are you trying to do, and what is getting in the way?
+      placeholder: |
+        When I have 20+ consumers registered on a contract, the proposal notification emails
+        are going to individual addresses. I need a way to send to a team distribution list
+        instead of enumerating every person.
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: What you would like to see
+      description: Describe the behaviour you want. Be specific about the interface — CLI command, API endpoint, UI element, config option, whatever is relevant.
+      placeholder: |
+        Allow a team to have a single notification_email field that receives all proposal
+        notifications for that team, instead of sending to each team member individually.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: What you have tried instead
+      description: How are you working around this today? Understanding the workaround helps us understand the severity of the gap.
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Which area of the tool does this relate to
+      options:
+        - Contract authoring
+        - Change proposals
+        - Consumer notifications
+        - Breach detection
+        - Audit trail
+        - CLI
+        - Web UI
+        - API
+        - Docker / deployment
+        - Documentation
+        - Other
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Before submitting
+      options:
+        - label: I have searched existing issues and this has not been requested before
+          required: true
+        - label: I have checked the roadmap in the README and this is not already planned
+          required: false

.github/ISSUE_TEMPLATE/question.yml

@@ -0,0 +1,44 @@
+name: Question
+description: Something is unclear or you need help understanding how Ratify works
+labels: ["question"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        For quick questions, [Discord](https://discord.gg/RVU3cdRs9z) is faster than GitHub issues.
+
+        Use this form if your question is detailed enough that it might be worth turning into documentation once answered.
+
+  - type: textarea
+    id: question
+    attributes:
+      label: What would you like to understand
+      description: Ask your question as specifically as you can. Include what you have already read or tried.
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: What you have already tried or read
+      description: This helps avoid repeating things you already know and gets to the useful part faster.
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Which area does your question relate to
+      options:
+        - Getting started / installation
+        - Contract authoring
+        - Change proposals
+        - Consumer notifications
+        - Breach detection
+        - Audit trail
+        - CLI usage
+        - Web UI
+        - API
+        - Docker / deployment
+        - Contributing to the codebase
+        - Other
+    validations:
+      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,21 @@
+## What this PR does
+
+<!-- One or two sentences. What problem does it solve or what does it add? -->
+
+## How to test it
+
+<!-- Tell the reviewer exactly how to verify this works.
+     "It compiles" is not enough. If it is UI work, include a screenshot. -->
+
+## Checklist
+
+- [ ] I have run `go test ./...` and all tests pass
+- [ ] I have run `golangci-lint run ./...` and there are no lint errors
+- [ ] I have run `npm run lint` and `npm run format:check` if I changed frontend code
+- [ ] I have added tests for new behaviour (or explained why tests are not needed)
+- [ ] I have updated `CHANGELOG.md` under `[Unreleased]` if this changes behaviour
+- [ ] My commit messages follow the Conventional Commits format (`feat:`, `fix:`, etc.)
+
+## Related issues
+
+<!-- Link any related issues here. Use "Closes #123" to auto-close on merge. -->

.github/dependabot.yml

@@ -0,0 +1,72 @@
+version: 2
+
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "UTC"
+    groups:
+      go-dependencies:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 3
+      semver-major-days: 14
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "go"
+
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "UTC"
+    groups:
+      npm-dependencies:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7
+      semver-major-days: 30
+      semver-minor-days: 7
+      semver-patch-days: 7
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "frontend"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "UTC"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 3
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "ci"

CHANGELOG.md

@@ -0,0 +1,56 @@
+# Changelog
+
+All notable changes to Ratify are recorded here.
+
+The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+Ratify uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+Until v1.0, breaking changes may happen between minor versions.
+After v1.0, we commit to not breaking the API within a major version.
+
+---
+
+## [Unreleased]
+
+### Added
+- Initial project structure and repository setup
+- Go module initialised (`github.com/ratifydata/ratify`)
+- React + TypeScript + Vite frontend scaffold
+- GitHub Actions CI pipeline (Backend, Frontend, Security, PR Title Format)
+- Docker Compose local development environment with PostgreSQL 16
+- Two-stage production Dockerfile, final image under 50MB
+- Air live-reload development Dockerfile
+- Environment variable loading via Viper (`internal/config`)
+- Database migration runner via golang-migrate (`internal/db`)
+- `GET /health` endpoint - returns `{"status":"ok","database":"ok","version":"0.1.0"}`
+- HTTP server with graceful shutdown on SIGINT/SIGTERM
+- Chi router with Logger and Recoverer middleware
+- pgx/v5 connection pool
+- pgcrypto extension enabled via migration 000001 (required for UUID generation)
+- Structured JSON logging via `log/slog`
+- golangci-lint v2 configuration
+- Prettier + ESLint frontend code quality tooling
+- `.gitattributes` enforcing Unix line endings
+
+---
+
+## How this file works
+
+Every pull request that changes behaviour - new features, bug fixes,
+deprecations, removals - adds an entry to the `[Unreleased]` section
+above under the appropriate heading.
+
+When we cut a release, the `[Unreleased]` section becomes the new
+version entry (e.g. `[0.2.0] - 2026-07-01`) and a fresh `[Unreleased]`
+section is opened above it.
+
+**Heading types used in this file:**
+
+- `Added` - new features or capabilities
+- `Changed` - changes to existing behaviour
+- `Deprecated` - features that will be removed in a future version
+- `Removed` - features removed in this version
+- `Fixed` - bug fixes
+- `Security` - security fixes (always include the CVE or advisory link if one exists)
+
+Not every commit needs a changelog entry. Dependency updates, refactors that do not change behaviour, and internal tooling changes do not need one. Features, fixes, and anything that changes how the tool behaves do.

frontend/.npmrc

@@ -0,0 +1,4 @@
+# Enforce security boundaries inside npm package lifecycles
+ignore-scripts=true
+save-exact=true
+min-release-age=7