docs: community health files

.backlog/tasks/task-5 - Add-SECURITY.md.md → .backlog/completed/task-5 - Add-SECURITY.md.md

@@ -1,8 +1,10 @@
 ---
 id: TASK-5
 title: Add SECURITY.md
-status: To Do
-assignee: []
+status: Done
+assignee:
+  - claude
+  - piotrzajac
 created_date: '2026-04-07 20:56'
 labels:
   - doc
@@ -19,7 +21,7 @@ Create a SECURITY.md file at the repository root that documents the vulnerabilit
 
 ## Acceptance Criteria
 <!-- AC:BEGIN -->
-- [ ] #1 SECURITY.md exists at the repository root
-- [ ] #2 Covers: how to report a vulnerability privately, expected response timeline, supported versions
-- [ ] #3 GitHub 'Report a vulnerability' link is active (enabled in repo Security settings)
+- [x] #1 SECURITY.md exists at the repository root
+- [x] #2 Covers: how to report a vulnerability privately, expected response timeline, supported versions
+- [x] #3 GitHub 'Report a vulnerability' link is active (enabled in repo Security settings)
 <!-- AC:END -->

.backlog/completed/task-6 - Add-CODE_OF_CONDUCT.md.md

@@ -0,0 +1,26 @@
+---
+id: TASK-6
+title: Add CODE_OF_CONDUCT.md
+status: Done
+assignee:
+  - claude
+  - piotrzajac
+created_date: '2026-04-07 20:57'
+labels:
+  - doc
+dependencies: []
+priority: low
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Add a CODE_OF_CONDUCT.md to the repository root. The [Contributor Covenant](https://www.contributor-covenant.org/) is the standard for OSS projects and is widely recognised. GitHub surfaces this file in the community health checklist.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [x] #1 CODE_OF_CONDUCT.md exists at the repository root
+- [x] #2 Based on a recognised standard (Contributor Covenant v2.1)
+- [x] #3 Enforcement contact set to maintainer GitHub profile (@piotrzajac) — no email per project policy
+<!-- AC:END -->

.backlog/tasks/task-7 - Add-CODEOWNERS-file.md → .backlog/completed/task-7 - Add-CODEOWNERS-file.md

@@ -1,8 +1,10 @@
 ---
 id: TASK-7
 title: Add CODEOWNERS file
-status: To Do
-assignee: []
+status: Done
+assignee:
+  - claude
+  - piotrzajac
 created_date: '2026-04-07 20:58'
 labels:
   - dx
@@ -18,7 +20,7 @@ Create a .github/CODEOWNERS file that maps paths to GitHub teams or users who ar
 
 ## Acceptance Criteria
 <!-- AC:BEGIN -->
-- [ ] #1 .github/CODEOWNERS exists and is syntactically valid
-- [ ] #2 A default owner (* pattern) is defined
-- [ ] #3 Reviewers are automatically requested on PRs touching covered paths
+- [x] #1 .github/CODEOWNERS exists and is syntactically valid
+- [x] #2 A default owner (* pattern) is defined
+- [x] #3 Reviewers are automatically requested on PRs touching covered paths
 <!-- AC:END -->

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @piotrzajac

CODE_OF_CONDUCT.md

@@ -0,0 +1,52 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as contributors and maintainers pledge to make participation in this project and community
+a welcoming, respectful, and harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience, nationality,
+personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive,
+and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of behavior that is not acceptable:
+
+- Personal attacks, insults, or derogatory comments
+- Public or private harassment of any kind
+- Publishing others' private information without explicit permission
+- Any conduct that could reasonably be considered inappropriate in a professional setting
+
+## Enforcement Responsibilities
+
+The project maintainer is responsible for clarifying and enforcing these standards and will take
+appropriate corrective action in response to any behavior that is deemed inappropriate, threatening,
+or harmful.
+
+## Scope
+
+This Code of Conduct applies in all project spaces and in public spaces when an individual is
+representing the project or its community.
+
+## Enforcement
+
+Instances of unacceptable behavior may be reported by contacting Piotr Zajac
+([@piotrzajac](https://github.com/piotrzajac), the project maintainer) via GitHub.
+All reports will be reviewed and investigated promptly and fairly.
+The maintainer is obligated to maintain confidentiality with regard to the reporter of an incident.
+
+## Attribution
+
+This Code of Conduct is adapted from the
+[Contributor Covenant](https://www.contributor-covenant.org), version 2.1,
+available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.

SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest stable release receives security fixes.
+
+| Version | Supported |
+| ------- |:---------:|
+| Latest  | ✅        |
+| Older   | ❌        |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Use GitHub's private vulnerability reporting instead:
+
+1. Go to the [Security tab](https://github.com/Accenture/AutoFixture.XUnit2.AutoMock/security) of this repository.
+2. Click **"Report a vulnerability"**.
+3. Fill in the details of the issue.
+
+This creates a private draft advisory visible only to the maintainer, keeping sensitive details out of the public issue tracker.
+
+## Response Timeline
+
+- **Acknowledgement**: within 14 days of the report
+- **Fix**: within 90 days of acknowledgement (coordinated disclosure)
+
+If a fix requires more time, the maintainer will communicate a revised timeline privately through the advisory thread.