docs: add CONTRIBUTING, SECURITY, and issue/PR templates

Establish contributor workflow and responsible-disclosure
policy, and replace blank issues with structured bug-report
and feature-request forms.

Author: Aqib-Rime

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,79 @@
+name: Bug report
+description: Report a bug in the mobile app, admin, or backend
+title: "bug: "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report. Please fill in as much detail as you can — it helps us ship a fix faster.
+
+  - type: dropdown
+    id: surface
+    attributes:
+      label: Where did the bug happen?
+      options:
+        - Mobile app (iOS)
+        - Mobile app (Android)
+        - Admin panel (web)
+        - Backend / API
+        - Build / deploy / monorepo tooling
+        - Not sure
+    validations:
+      required: true
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear description of what went wrong and what you expected instead.
+      placeholder: "When I tap the qibla compass, the dial freezes and stops responding to phone movement…"
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: The minimal set of steps to trigger the bug.
+      placeholder: |
+        1. Open the app
+        2. Go to Profile → Find Qibla
+        3. Rotate the phone 180°
+        4. Observe: dial does not rotate
+    validations:
+      required: true
+
+  - type: input
+    id: platform-version
+    attributes:
+      label: Platform + OS version
+      description: e.g. iOS 18.2 on iPhone 15 Pro, Android 14 on Pixel 8, Chrome 130 on macOS 15
+    validations:
+      required: true
+
+  - type: input
+    id: app-version
+    attributes:
+      label: App / commit version
+      description: Git SHA or EAS build number (check Settings → About in the app)
+    validations:
+      required: false
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs, screenshots, or screen recordings
+      description: Drop them here. Metro / Wrangler / console output is especially helpful for crashes.
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: prechecks
+    attributes:
+      label: Pre-submission checklist
+      options:
+        - label: I searched existing issues and this one isn't already reported
+          required: true
+        - label: I am running the latest `main` (or have noted the exact commit above)
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/Aqib-Rime/qibla/security/advisories/new
+    about: Please do not open public issues for security vulnerabilities. Use private reporting instead.
+  - name: Question or discussion
+    url: https://github.com/Aqib-Rime/qibla/discussions
+    about: For general questions, ideas, or anything that isn't a clear bug or feature request.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,55 @@
+name: Feature request
+description: Suggest a new feature or an improvement to an existing one
+title: "feat: "
+labels: ["enhancement", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Before filing, please check the [V2 scope](https://github.com/Aqib-Rime/qibla) to see if the idea is already planned. For anything larger than a small tweak, please describe the use case first — implementation details can come later.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem does this solve?
+      description: The user-facing problem or friction point. Skip the solution for now — focus on the "why".
+      placeholder: "When I travel between neighborhoods I want to compare mosques by distance, but the list is only sortable by name…"
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: How you think it could work. Mockups, code sketches, or links to similar features in other apps are all welcome.
+    validations:
+      required: false
+
+  - type: dropdown
+    id: surface
+    attributes:
+      label: Which surface?
+      options:
+        - Mobile app (iOS + Android)
+        - Admin panel
+        - Backend / API
+        - Monorepo tooling / build
+        - Cross-cutting
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other approaches you thought about and why you set them aside.
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: prechecks
+    attributes:
+      label: Pre-submission checklist
+      options:
+        - label: I searched existing issues and this isn't already requested
+          required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,37 @@
+<!--
+  Thanks for opening a PR! Keep the title in Conventional Commits format:
+    feat(mobile/qibla): add calibration overlay
+    fix(admin/reviews): recompute rating on status change
+    docs: expand EAS build instructions
+-->
+
+## Summary
+
+<!-- One or two sentences on what this PR does and why. Link issues with "Closes #123" if relevant. -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Refactor (no behavior change)
+- [ ] Documentation / README
+- [ ] Build, CI, or tooling
+- [ ] Breaking change
+
+## Testing
+
+<!-- How did you verify this works? Device + OS for mobile changes, browser for admin. -->
+
+- [ ] `bun run typecheck` passes
+- [ ] `bun run lint` passes
+- [ ] Tested locally (describe the flow below)
+
+<!-- Paste screenshots, GIFs, or log output here when useful. -->
+
+## Checklist
+
+- [ ] Title follows Conventional Commits (`feat(scope): ...`)
+- [ ] No secrets committed (`.env.local`, `.dev.vars`)
+- [ ] Docs / README updated if the user-facing behavior changed
+- [ ] Mobile UI tested in a dev build on a real device (if touching native APIs)
+- [ ] Admin changes tested against a real Neon database

CONTRIBUTING.md

@@ -0,0 +1,82 @@
+# Contributing to Qibla
+
+Thanks for your interest in Qibla. Contributions, bug reports, and feature ideas are all welcome.
+
+## Before you start
+
+For anything non-trivial, **please open an issue first** so we can align on scope and direction before you spend time writing code. Small fixes (typos, obvious bugs, docs improvements) can go straight to a PR.
+
+## Development setup
+
+The full getting-started guide lives in the [README](./README.md#getting-started). Quick version:
+
+```bash
+git clone https://github.com/Aqib-Rime/qibla.git
+cd qibla
+bun install
+cp .env.example .env.local    # fill in Neon URL + auth secret
+bun db:push
+bun db:seed
+bun run dev:admin             # terminal 1
+cd apps/mobile && bun start   # terminal 2
+```
+
+## Workflow
+
+1. Fork the repo and create a topic branch from `main` — prefer a short, descriptive name: `feat/events-admin`, `fix/qibla-heading-drift`, `docs/env-vars`
+2. Make your change
+3. Keep these commands green before opening the PR:
+   ```bash
+   bun run typecheck
+   bun run lint
+   ```
+4. Open a PR against `main`
+
+## Commit messages
+
+Follow the existing convention — [Conventional Commits](https://www.conventionalcommits.org/) with a feature scope:
+
+```
+feat(mobile/qibla): add calibration overlay
+fix(admin/reviews): recompute rating on status change
+docs: add EAS build notes
+chore: bump expo to 54.0.34
+```
+
+Do **not** amend, squash, or rewrite commits already pushed to `main`.
+
+## PR checklist
+
+- [ ] The PR title follows the Conventional Commits format
+- [ ] `bun run typecheck` passes
+- [ ] `bun run lint` passes
+- [ ] The change is covered by the existing README / docs (or docs updated)
+- [ ] For mobile UI changes: tested in a dev build on a real device (not just Expo Go)
+- [ ] For admin changes: tested against a real Neon database, not a mocked one
+- [ ] No secrets committed (check `.env.local`, `.dev.vars`)
+
+## Coding guidelines
+
+- **TypeScript everywhere** — no `any` unless there's a comment explaining why
+- **Feature-module architecture** — new mobile features live in `apps/mobile/features/<name>/` with `components/`, `hooks/`, `lib/`, and a barrel `index.ts`. See existing features for the pattern
+- **Route files are thin** — they should re-export from a feature module, not contain logic
+- **Styling** — NativeWind on mobile, Tailwind v4 + shadcn primitives on admin. No ad-hoc StyleSheet or CSS-in-JS
+- **API** — add new endpoints to `packages/api`. Use `publicProcedure` / `authedProcedure` / `adminProcedure` depending on access level
+- **DB** — all schema changes go through Drizzle. Run `bun db:generate` to create a migration, commit the generated SQL
+
+## Reporting bugs
+
+Open a [bug report](https://github.com/Aqib-Rime/qibla/issues/new/choose) with:
+
+- Platform + OS version (iOS 18 on iPhone 15, Android 14 on Pixel 8, etc.)
+- Steps to reproduce
+- Expected vs actual behavior
+- Logs / screenshots if you have them
+
+## Security issues
+
+Please do **not** open a public issue for security vulnerabilities. See [SECURITY.md](./SECURITY.md) for responsible disclosure.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the [MIT License](./LICENSE).

SECURITY.md

@@ -0,0 +1,49 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you discover a security vulnerability in Qibla, **please do not open a public GitHub issue.** Public issues are visible to everyone and can put users at risk before a fix ships.
+
+Instead, report it privately using one of these channels:
+
+- **GitHub Private Vulnerability Reporting** — open [Report a vulnerability](https://github.com/Aqib-Rime/qibla/security/advisories/new) on the Security tab of the repo (preferred)
+- **Email** — send details to the maintainer directly via the email listed on [@Aqib-Rime's GitHub profile](https://github.com/Aqib-Rime)
+
+Please include:
+
+- A description of the vulnerability
+- Steps to reproduce
+- The affected component (mobile app / admin / API / auth / DB)
+- Your assessment of the impact
+- Any suggested mitigations, if you have them
+
+## What to expect
+
+- **Acknowledgement** within 72 hours
+- **Initial assessment** within 7 days
+- **Fix or mitigation plan** communicated before any public disclosure
+- **Credit** in the release notes once the fix ships, if you want it
+
+## Supported versions
+
+This project is pre-1.0 and under active development. Only the `main` branch is supported. Please run the latest commit when reporting issues.
+
+## Scope
+
+In-scope:
+
+- The mobile app (`apps/mobile`)
+- The admin / API (`apps/admin`)
+- All shared packages (`packages/*`)
+- The deployment configuration (Cloudflare Workers, EAS)
+
+Out of scope (report to the upstream project instead):
+
+- Vulnerabilities in Expo, TanStack Start, Drizzle, Better Auth, oRPC, or other dependencies
+- Issues in third-party services (Neon, Cloudflare, AlAdhan API, Google Maps)
+
+## Responsible disclosure
+
+We ask that you give us a reasonable window — typically 90 days — to ship a fix before any public disclosure. If the vulnerability is being actively exploited, we will work with you on an accelerated timeline.
+
+Thank you for helping keep Qibla and its users safe.