Chore/license split apache wire format

.editorconfig

@@ -0,0 +1,36 @@
+# EditorConfig — https://editorconfig.org
+# Top-level config; no parent lookups beyond this file.
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+# Go uses tabs (gofmt is non-negotiable).
+[*.go]
+indent_style = tab
+
+# TS / JS / JSON — 2-space (matches Prettier + tsconfig conventions).
+[*.{ts,tsx,js,jsx,mjs,cjs,json,jsonc}]
+indent_style = space
+indent_size = 2
+
+# YAML — 2-space (contract/*.yaml, GitHub Actions).
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+# Markdown — preserve trailing spaces (two-space line-break trick).
+[*.md]
+trim_trailing_whitespace = false
+
+# Makefiles require literal tabs.
+[Makefile]
+indent_style = tab
+
+[**/Makefile]
+indent_style = tab

.github/CODEOWNERS

@@ -0,0 +1,31 @@
+# CODEOWNERS — Review routing for edge-agents
+#
+# Syntax: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+# Order matters: the LAST matching pattern wins for a given file.
+#
+# NOTE: The @ForestHubAI/maintainers team must exist in the GitHub org
+# (Org Settings → Teams) for these mentions to resolve. Without the team,
+# GitHub will show "Unknown owner" warnings on the Branch protection /
+# PR review UI but CODEOWNERS routing will silently no-op.
+
+# ---------------------------------------------------------------------------
+# Default owner — applies to anything not covered by a more specific rule below
+# ---------------------------------------------------------------------------
+*                   @ForestHubAI/maintainers
+
+# ---------------------------------------------------------------------------
+# Language subtrees
+# ---------------------------------------------------------------------------
+/go/                @ForestHubAI/maintainers
+/ts/                @ForestHubAI/maintainers
+
+# ---------------------------------------------------------------------------
+# Contract subtree — CRITICAL: this is the source of truth. Drift between
+# go/ and ts/ codegen from the OpenAPI 3.0.3 contracts must always be reviewed.
+# ---------------------------------------------------------------------------
+/contract/          @ForestHubAI/maintainers
+
+# ---------------------------------------------------------------------------
+# Repo meta: CI workflows, issue templates, CODEOWNERS itself
+# ---------------------------------------------------------------------------
+/.github/           @ForestHubAI/maintainers

.github/CONTRIBUTING.md

@@ -100,11 +100,14 @@ Use clear, prefixed messages: `feat:`, `fix:`, `refactor:`, `test:`, `docs:`.
 
 ## License and Contributor Agreement
 
-edge-agents is dual-licensed: the public release is distributed under
-[AGPL-3.0](../LICENSE), and ForestHub offers separate commercial licenses for use
-cases that are incompatible with the AGPL (commercial licensing: root@foresthub.ai).
-To keep this model viable, every contribution must grant ForestHub the rights needed
-to offer it under both license regimes.
+edge-agents uses a **two-tier license model**: the `contract/` and
+`ts/workflow-core/` subdirectories are released under [Apache-2.0](../contract/LICENSE),
+and all other components (engine, LLM proxy, workflow-builder, app) are released
+under [AGPL-3.0](../LICENSE) with the option for ForestHub to also offer them under a
+separate commercial license for use cases that are incompatible with the AGPL
+(commercial licensing: root@foresthub.ai). To keep this model viable, every
+contribution must grant ForestHub the rights needed to offer it under both license
+regimes.
 
 **By submitting a contribution (pull request, patch, or any other code or
 documentation change), you agree to the following terms:**
@@ -153,3 +156,16 @@ including for presently unknown forms of use to the extent allowed by §31a UrhG
 You confirm these terms by checking the Contributor License Agreement boxes in the pull
 request template when you open your PR. A maintainer verifies this before merging; a PR
 whose CLA boxes are not checked will not be merged.
+
+### Which license your contribution falls under
+
+The repository uses a two-tier license model:
+
+- Contributions to `contract/` and `ts/workflow-core/` are released under
+  **Apache-2.0**.
+- Contributions to all other paths (engine, LLM proxy, workflow-builder, app) are
+  released under **AGPL-3.0-only** with the option for ForestHub to also offer them
+  under a commercial license (per the CLA above).
+
+If your PR touches both tiers, the per-file license header (or, where absent, the
+directory-level `LICENSE`/`NOTICE`) governs.

.github/FUNDING.yml

@@ -0,0 +1,18 @@
+# GitHub Sponsors and other funding platforms for this repository.
+# Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+
+github: ForestHubAI
+
+# Additional platforms (uncomment to enable later):
+# patreon: # Replace with a single Patreon username
+# open_collective: # Replace with a single Open Collective username
+# ko_fi: # Replace with a single Ko-fi username
+# tidelift: # Replace with a single Tidelift platform-name/package-name
+# community_bridge: # Replace with a single Community Bridge project-name
+# liberapay: # Replace with a single Liberapay username
+# issuehunt: # Replace with a single IssueHunt username
+# lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name
+# polar: # Replace with a single Polar username
+# buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
+# thanks_dev: # Replace with a single thanks.dev username
+# custom: # Replace with up to 4 custom sponsorship URLs

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,31 @@
+# Issue-template chooser config.
+# Reference: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
+#
+# Forces contributors to pick a structured template (bug_report / feature_request)
+# instead of opening blank issues. The contact_links route off-topic intents
+# (questions, security reports, commercial inquiries) to the right channel so
+# the issue tracker stays focused on actionable engineering work.
+
+blank_issues_enabled: false
+
+contact_links:
+  - name: Question / Discussion
+    url: https://github.com/ForestHubAI/edge-agents/discussions
+    about: |
+      Have a question, an idea, or want to discuss usage? Please open a
+      GitHub Discussion instead of an issue. (If Discussions is not yet
+      enabled on this repo, this link will 404 until the maintainer turns
+      it on in Settings → Features.)
+
+  - name: Security Vulnerability
+    url: https://github.com/ForestHubAI/edge-agents/security/advisories/new
+    about: |
+      Please do NOT open a public issue for security vulnerabilities. Use
+      GitHub's private vulnerability reporting, or email root@foresthub.ai.
+      See .github/SECURITY.md for scope and process.
+
+  - name: Commercial License Inquiry
+    url: mailto:root@foresthub.ai
+    about: |
+      edge-agents is dual-licensed (AGPL-3.0-only + commercial). For use
+      cases that are incompatible with AGPL, contact root@foresthub.ai.

.github/PULL_REQUEST_TEMPLATE.md

@@ -26,6 +26,6 @@
 
 ## Contributor License Agreement
 
-- [ ] I agree to the terms in [CONTRIBUTING.md § License and Contributor Agreement](./CONTRIBUTING.md#license-and-contributor-agreement), including ForestHub's right to relicense my contribution commercially in addition to AGPL-3.0.
+- [ ] I agree to the terms in [CONTRIBUTING.md § License and Contributor Agreement](./CONTRIBUTING.md#license-and-contributor-agreement). I understand that contributions to `contract/` and `ts/workflow-core/` are released under Apache-2.0, and contributions to all other paths are released under AGPL-3.0-only with ForestHub's right to also offer them under a commercial license.
 - [ ] My contribution is my own original work and I am legally entitled to submit it under these terms.
 - [ ] This contribution was created **outside** any employment, work-for-hire, or contractor obligations and **without** the use of employer-owned equipment, accounts, or time — **OR** my employer has explicitly authorized me to submit it under these terms and has waived any rights under §69b UrhG (or equivalent foreign law) for this contribution.

.github/dependabot.yml

@@ -0,0 +1,70 @@
+version: 2
+
+updates:
+  # Go module (root of Go code is /go)
+  - package-ecosystem: "gomod"
+    directory: "/go"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+    groups:
+      go-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+      go-security:
+        applies-to: security-updates
+        update-types:
+          - "minor"
+          - "patch"
+
+  # npm workspace root (handles workflow-core, workflow-builder, app)
+  - package-ecosystem: "npm"
+    directory: "/ts"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+    groups:
+      npm-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+      npm-security:
+        applies-to: security-updates
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions workflows
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    groups:
+      actions-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+      actions-security:
+        applies-to: security-updates
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/codeql.yml

@@ -0,0 +1,51 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly on Sundays at 04:17 UTC. Off-peak, off the hour.
+    - cron: "17 4 * * 0"
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        # CodeQL's modern "javascript-typescript" identifier covers ts/.
+        # "go" covers go/ — autobuild finds the module via go/go.mod.
+        language: [go, javascript-typescript]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go/go.mod
+          cache-dependency-path: go/go.sum
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/gitleaks.yml

@@ -0,0 +1,29 @@
+name: gitleaks
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    name: Scan for leaked secrets
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout (full history)
+        uses: actions/checkout@v4
+        with:
+          # gitleaks needs the full history to scan past commits, not just
+          # the diff. Shallow clone would miss anything before the last fetch.
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # No GITLEAKS_LICENSE on purpose: it's a paid-tier key. Public repos
+          # get full functionality on the free tier without it.

.github/workflows/lint.yml

@@ -0,0 +1,43 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  go-lint:
+    name: Go (golangci-lint)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go/go.mod
+          cache-dependency-path: go/go.sum
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+          working-directory: go
+          args: --timeout=5m
+
+  ts-lint:
+    name: TS (eslint)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ts
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: ts/package-lock.json
+      - run: npm ci
+      - run: npm run lint