docs(oss-prep): add LICENSE (MIT) + SECURITY + CODE_OF_CONDUCT + CONTRIBUTING (#11)

Pre-public OSS prep — community-profile completion before visibility flip from PRIVATE to PUBLIC.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

CODE_OF_CONDUCT.md

@@ -0,0 +1,24 @@
+# Code of conduct
+
+InstaNode is a small, focused engineering community. We want everyone who participates — issue reporters, PR authors, reviewers, maintainers — to feel safe and respected.
+
+## Expectations
+
+- Be respectful in code review and issues. Critique code, not people.
+- Assume good intent. Ask questions before making accusations.
+- Keep discussions on topic. Off-topic and inflammatory threads will be closed.
+- No harassment, personal attacks, discriminatory language, or unwelcome sexual attention.
+
+## Enforcement
+
+Maintainers may close issues, lock threads, edit comments, or block accounts that violate these expectations.
+
+## Reporting
+
+Email security@instanode.dev to report a concern. We treat reports confidentially. We aim to respond within 72 hours.
+
+## Scope
+
+These expectations apply to all project spaces — issues, pull requests, discussions, and any official InstaNode communication channel — and to public spaces when someone is representing the project.
+
+This policy is intentionally short; we will lengthen it as the community grows.

CONTRIBUTING.md

@@ -0,0 +1,40 @@
+# Contributing to the InstaNode provisioner
+
+## Filing issues
+
+Bugs and feature requests: https://github.com/InstaNode-dev/provisioner/issues.
+
+For platform-wide issues (provisioning, billing, deploys) file at the [api repo](https://github.com/InstaNode-dev/api/issues) instead.
+
+## Workflow
+
+```
+git clone https://github.com/InstaNode-dev/provisioner
+cd provisioner
+go build ./...
+go vet ./...
+go test ./... -short -p 1
+```
+
+(For infra: substitute YAML lint / kubeconform / shellcheck per the validate workflow.)
+
+All gates must be green before opening a PR.
+
+## Style
+
+- Follow existing patterns in the file you're touching.
+- Tests next to source.
+- Public symbols get godoc comments.
+- Errors wrapped with `fmt.Errorf("context: %w", err)`.
+
+## PR checklist
+
+- Local gate green
+- New behavior → test
+- New public symbol → godoc
+- Commit message: short imperative subject, fuller body explaining the why
+- Include the `Co-Authored-By` trailer for AI-assisted commits
+
+## License
+
+MIT. By contributing, you agree your contributions are licensed under the same.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 InstaNode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

SECURITY.md

@@ -0,0 +1,23 @@
+# Security policy
+
+## Reporting a vulnerability
+
+Email **security@instanode.dev** with the details: reproduction steps, scope, suspected impact.
+
+SLA: 72-hour initial acknowledgement. 30 days for P0/P1 fix. 90-day coordinated disclosure window.
+
+No paid bug bounty currently — service credits for confirmed P0/P1 disclosures.
+
+## In scope
+
+- This repository's source
+- https://api.instanode.dev
+- https://instanode.dev
+
+## Out of scope
+
+- Third-party integrations (Razorpay, Brevo, DigitalOcean, etc.) — report directly to those vendors
+
+## Safe harbor
+
+Good-faith security research that does not compromise customer data, does not disrupt service, and follows coordinated disclosure is safe from legal action under this policy.