first commit

Author: kanywst

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# every change requires review by a codeowner.
+# enforced via branch protection: require pr + 1 review + codeowner review.
+
+*                       @0-draft/maintainers
+.github/workflows/      @0-draft/security
+scripts/                @0-draft/security
+SECURITY.md             @0-draft/security

.github/dependabot.yml

@@ -0,0 +1,16 @@
+# dependabot scope is intentionally narrow:
+# only github-actions, because sha-pinned action references go stale and
+# stale pins quietly carry old cves into every fork.
+# npm dependabot is a per-fork choice, not a template choice.
+
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "ci"
+      include: scope

.github/pull_request_template.md

@@ -0,0 +1,10 @@
+## summary
+
+<!-- one or two lines on intent -->
+
+## checklist
+
+- [ ] commits are signed (`gitsign` or gpg)
+- [ ] no third-party action references a tag (run `npm run pin-actions` if you added any)
+- [ ] if this changes the release pipeline, attach a sample rekor entry url or in-toto bundle
+- [ ] `npm run check` passes locally

.github/workflows/ci.yml

@@ -0,0 +1,69 @@
+# template note:
+# action references in this file ship as semver tags so the template builds on day one.
+# after `scripts/init.sh`, run `npm run pin-actions` (or it runs automatically) to rewrite
+# every `uses:` line to a full commit sha. dependabot bumps the sha; the trailing
+# `# v6.x` comment is preserved for human readability.
+
+name: ci
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    name: lint / typecheck / test / audit / build
+    runs-on: ubuntu-latest
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version: 24
+          cache: npm
+
+      - name: install (locked, no scripts)
+        run: npm ci --ignore-scripts
+
+      - name: lint
+        run: npm run lint
+
+      - name: typecheck
+        run: npm run typecheck
+
+      - name: test
+        run: npm run test
+
+      - name: audit
+        run: npm run audit
+
+      - name: build
+        run: npm run build
+
+  pinned-actions:
+    name: every action is sha-pinned
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: assert no tag references in workflows
+        run: bash scripts/check-pins.sh

.github/workflows/release.yml

@@ -0,0 +1,139 @@
+# release flow:
+#   1. tag v* on main triggers this workflow
+#   2. build job produces a tarball + slsa provenance via the slsa-github-generator
+#      reusable workflow (which runs in an isolated builder, not in our repo's runner)
+#   3. publish job uses npm trusted publisher (oidc) to publish with --provenance
+#   4. sign job runs cosign sign-blob keylessly, identity = this workflow
+#
+# secrets used: none. there is no NPM_TOKEN. credentials are minted via oidc per run.
+
+name: release
+
+on:
+  push:
+    tags: ["v*"]
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build:
+    name: build tarball + slsa provenance
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      tarball-name: ${{ steps.pack.outputs.tarball-name }}
+      tarball-sha256: ${{ steps.pack.outputs.tarball-sha256 }}
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version: 24
+          cache: npm
+          registry-url: https://registry.npmjs.org
+
+      - name: install (locked, no scripts)
+        run: npm ci --ignore-scripts
+
+      - name: build
+        run: npm run build
+
+      - name: pack
+        id: pack
+        run: |
+          set -euo pipefail
+          tarball=$(npm pack --silent | tail -n 1)
+          sha=$(shasum -a 256 "$tarball" | awk '{print $1}')
+          echo "tarball-name=$tarball" >>"$GITHUB_OUTPUT"
+          echo "tarball-sha256=$sha"   >>"$GITHUB_OUTPUT"
+
+      - name: upload tarball
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: tarball
+          path: ${{ steps.pack.outputs.tarball-name }}
+          if-no-files-found: error
+          retention-days: 7
+
+  provenance:
+    name: slsa v1.0 provenance
+    needs: [build]
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
+    with:
+      base64-subjects: ${{ needs.build.outputs.tarball-sha256 }}
+      provenance-name: ${{ needs.build.outputs.tarball-name }}.intoto.jsonl
+      upload-assets: true
+
+  publish:
+    name: npm trusted publisher (--provenance)
+    needs: [build, provenance]
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version: 24
+          registry-url: https://registry.npmjs.org
+
+      - name: download tarball
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          name: tarball
+
+      - name: publish
+        run: npm publish "${{ needs.build.outputs.tarball-name }}" --provenance --access public
+
+  sign:
+    name: cosign sign-blob (keyless)
+    needs: [build, publish]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+
+      - name: download tarball
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          name: tarball
+
+      - name: sign
+        run: |
+          cosign sign-blob --yes \
+            --output-signature "${{ needs.build.outputs.tarball-name }}.sig" \
+            --output-certificate "${{ needs.build.outputs.tarball-name }}.crt" \
+            "${{ needs.build.outputs.tarball-name }}"
+
+      - name: attach signature to release
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        with:
+          files: |
+            ${{ needs.build.outputs.tarball-name }}.sig
+            ${{ needs.build.outputs.tarball-name }}.crt

.github/workflows/scorecard.yml

@@ -0,0 +1,44 @@
+name: scorecard
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "31 6 * * 1"
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: openssf scorecard
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: run analysis
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: upload artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: scorecard-results
+          path: results.sarif
+          retention-days: 5
+
+      - name: upload to code-scanning
+        uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -0,0 +1,26 @@
+node_modules
+dist
+coverage
+
+# release artifacts (built locally, never committed)
+*.tgz
+*.sig
+*.crt
+*.intoto.jsonl
+audit.json
+
+# editor / os
+.DS_Store
+.vscode
+.idea
+*.swp
+*.swo
+
+# logs
+*.log
+npm-debug.log*
+
+# env (commit only .env.example)
+.env
+.env.*
+!.env.example

.markdownlint-cli2.jsonc

@@ -0,0 +1,16 @@
+{
+  "config": {
+    "default": true,
+    "MD013": false,
+    "MD024": false,
+    "MD033": { "allowed_elements": ["div", "picture", "source", "img"] },
+    "MD036": false,
+    "MD041": false,
+    "MD060": false
+  },
+  "ignores": [
+    "node_modules",
+    "dist",
+    "coverage"
+  ]
+}

.npmrc

@@ -0,0 +1,4 @@
+# engine-strict makes npm refuse to install on a node version outside `engines`.
+# fund=false silences the donate prompt; everything else here is npm 11 default.
+engine-strict=true
+fund=false

CODE_OF_CONDUCT.md

@@ -0,0 +1,13 @@
+# code of conduct
+
+this project adopts the [contributor covenant v2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/).
+
+## reporting
+
+email <conduct@0-draft.dev> or use github private vulnerability reporting for sensitive cases.
+maintainers will respond within 72 hours and treat reports as confidential.
+
+## enforcement
+
+violations follow the contributor covenant enforcement ladder: correction → warning → temporary ban → permanent ban.
+maintainers decide and document each action in a private incident log.