chore(oss): pre-public-launch repo hygiene bundle — community files + DCO + IA cleanup + positioning + contact

.claude/skills/impl-execute/SKILL.md

@@ -354,7 +354,7 @@ Agent({
 3. Commit with a descriptive message referencing the story:
 
 ```bash
-git commit -m "$(cat <<'EOF'
+git commit -s -m "$(cat <<'EOF'
 feat(<scope>): <summary> (Story X.Y)
 
 <bullet points of key changes>
@@ -364,6 +364,12 @@ EOF
 )"
 ```
 
+The `-s` flag adds a `Signed-off-by:` trailer required by the DCO check
+(`.github/workflows/dco.yml` + `scripts/check-dco-signoff.sh`). See
+CONTRIBUTING.md → Developer Certificate of Origin (DCO). The local pre-commit
+hook will reject the commit if the trailer is missing; the CI gate will fail
+the PR if any commit is missing it.
+
 ### Step 8: Update progress
 
 1. Mark the story as complete in the implementation plan's execution tracker (`[x]`)
@@ -628,7 +634,7 @@ make typecheck
 ./.venv/bin/ruff format --check backend/  # exactly what CI runs; must pass here too
 ```
 
-If `make fmt` produced any diff, commit it first (`git add -A && git commit -m "style: apply ruff format (pre-push)"`) before pushing — that keeps the gate honest on the pushed SHA.
+If `make fmt` produced any diff, commit it first (`git add -A && git commit -s -m "style: apply ruff format (pre-push)"`) before pushing — that keeps the gate honest on the pushed SHA. The `-s` is required by the DCO gate (see Step 7).
 
 ```bash
 git push -u origin <branch_name>
@@ -881,7 +887,7 @@ Send to GPT-5.5 with the full implementation plan. This catches cross-story issu
 
 8. **Commit and push** the finalization changes:
    ```bash
-   git add <all changed files> && git commit -m "docs: move <feature> to implemented, update state.md"
+   git add <all changed files> && git commit -s -m "docs: move <feature> to implemented, update state.md"
    git push
    ```
 

.github/CODEOWNERS

@@ -0,0 +1,37 @@
+# CODEOWNERS — auto-request review when these paths change.
+#
+# See https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+#
+# Order matters: later rules override earlier ones. The last matching pattern
+# wins. Patterns follow the same syntax as .gitignore.
+#
+# Source-of-truth note: when a maintainer joins or leaves, update both
+# MAINTAINERS.md and this file in the same PR. Prefer team handles
+# (e.g. @SoundMindsAI/relyloop-maintainers) over individuals once the team
+# exists in the org — teams survive departures, individuals don't.
+
+# Default — everything not matched below.
+*                                       @SoundMindsAI
+
+# Governance / contributor surface — changes here have project-wide impact;
+# the project lead is the only required reviewer at v0.1.
+/LICENSE                                @SoundMindsAI
+/NOTICE                                 @SoundMindsAI
+/GOVERNANCE.md                          @SoundMindsAI
+/MAINTAINERS.md                         @SoundMindsAI
+/SECURITY.md                            @SoundMindsAI
+/CODE_OF_CONDUCT.md                     @SoundMindsAI
+/CONTRIBUTING.md                        @SoundMindsAI
+/CLAUDE.md                              @SoundMindsAI
+/.github/                               @SoundMindsAI
+
+# CI / release infra
+/.github/workflows/                     @SoundMindsAI
+/Dockerfile                             @SoundMindsAI
+/docker-compose.yml                     @SoundMindsAI
+/Makefile                               @SoundMindsAI
+/scripts/                               @SoundMindsAI
+
+# Migrations — DB schema changes need explicit project-lead review.
+/migrations/                            @SoundMindsAI
+/alembic.ini                            @SoundMindsAI

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,112 @@
+name: Bug report
+description: Something in RelyLoop doesn't behave the way the docs or spec say it should.
+title: "bug: <short summary>"
+labels: ["bug", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a report. The more concrete the
+        repro, the faster we can act.
+
+        **Security vulnerability?** Stop. Do not file a public issue. Follow
+        [SECURITY.md](https://github.com/SoundMindsAI/relyloop/blob/main/SECURITY.md) for private reporting.
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened
+      description: A clear, factual description of the failure — what you did, what you saw.
+      placeholder: |
+        Ran `make seed-clusters`, opened `/chat`, asked for a relevance study,
+        got HTTP 500 from `/api/v1/studies` instead of the queued response.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: What you expected
+      description: What should have happened, based on the docs / tutorial / spec.
+    validations:
+      required: true
+
+  - type: textarea
+    id: repro
+    attributes:
+      label: Reproduction
+      description: |
+        Step-by-step. The most useful repros run against a fresh `make up`
+        stack. If you can paste a `curl` command or a `pytest` test, even
+        better.
+      placeholder: |
+        1. `make up && make migrate && make seed-clusters && make seed-es`
+        2. `curl -X POST http://127.0.0.1:8000/api/v1/studies -H "Content-Type: application/json" -d '{"...": "..."}'`
+        3. Response is 500 instead of 202.
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: RelyLoop version
+      description: Output of `git rev-parse --short HEAD` or the release tag.
+      placeholder: "v0.1.0 (or 6ff9c211)"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: engine
+    attributes:
+      label: Search engine
+      description: Which engine were you exercising when this happened?
+      options:
+        - Elasticsearch (local-es from compose)
+        - OpenSearch (local-opensearch from compose)
+        - Elasticsearch (operator-managed, not from compose)
+        - OpenSearch (operator-managed, not from compose)
+        - Not engine-related (UI, infra, docs, etc.)
+        - Other (please describe in "What happened")
+    validations:
+      required: true
+
+  - type: input
+    id: engine-version
+    attributes:
+      label: Engine version
+      description: e.g. ES 9.4.0, OpenSearch 2.18.0. Leave blank if not engine-related.
+      placeholder: "9.4.0"
+
+  - type: dropdown
+    id: llm
+    attributes:
+      label: LLM endpoint
+      description: What was `OPENAI_BASE_URL` pointed at?
+      options:
+        - api.openai.com (default)
+        - Ollama (local)
+        - LM Studio (local)
+        - vLLM (self-hosted)
+        - HuggingFace TGI
+        - Azure OpenAI
+        - Other OpenAI-compatible endpoint
+        - LLM-irrelevant for this bug
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: |
+        Output of `make logs` (or `docker compose logs api worker`) around
+        the failure. Scrub anything that looks like a secret before pasting.
+      render: shell
+
+  - type: textarea
+    id: env
+    attributes:
+      label: Environment
+      description: OS, Docker version, anything else you think matters.
+      placeholder: |
+        macOS 15.5, Docker 27.3, 32 GB RAM

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/SoundMindsAI/relyloop/security/advisories/new
+    about: Report a security vulnerability privately. Do not file a public issue.
+  - name: Question or design discussion
+    url: https://github.com/SoundMindsAI/relyloop/discussions
+    about: Ask a usage question, propose a design, or start an open-ended thread.
+  - name: Documentation issue
+    url: https://github.com/SoundMindsAI/relyloop/issues/new?template=bug_report.yml&labels=bug,docs,needs-triage&title=docs%3A+%3Cshort+summary%3E
+    about: Found a typo or a docs claim that doesn't match the code? File a bug with the "docs" label.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,49 @@
+name: Feature request
+description: Propose a new capability or a change to existing behavior.
+title: "feat: <short summary>"
+labels: ["enhancement", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for thinking about how to make RelyLoop better. Before filing,
+        please skim the [umbrella spec §4 (non-goals)](https://github.com/SoundMindsAI/relyloop/blob/main/docs/00_overview/relyloop-spec.md)
+        and the [release matrix](https://github.com/SoundMindsAI/relyloop/blob/main/docs/01_architecture/tech-stack.md)
+        to see whether the capability is already planned for a later release.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem are you trying to solve? Concrete situation, not abstract wish.
+      placeholder: |
+        I want to run a study against three judgment lists at once to see
+        which one disagrees least with the LLM-judge baseline, and right
+        now I have to launch and compare three separate studies by hand.
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: What change in RelyLoop would make this easier? Sketch the API / UI / CLI surface.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: |
+        Other approaches you thought about and why you didn't pick them.
+        "I couldn't think of any" is a legitimate answer for small requests
+        but is a yellow flag for large ones.
+
+  - type: textarea
+    id: scope
+    attributes:
+      label: Scope and willingness to contribute
+      description: |
+        Roughly how big do you think this is? Are you offering to send a PR,
+        or filing the request and hoping someone picks it up?

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,62 @@
+<!--
+Thanks for sending a PR. A few quick reminders before you hit submit:
+
+- This project uses DCO sign-off. Run `git commit -s` for every commit, or
+  amend with `git commit -s --amend`. The DCO check will block the PR
+  until every commit has a `Signed-off-by:` trailer.
+- Commit messages follow Conventional Commits (`feat:`, `fix:`, `docs:`,
+  etc.). See CONTRIBUTING.md.
+- Never use `--no-verify` to skip pre-commit hooks. If a hook fails, fix
+  the root cause.
+- If your change touches a public API, the spec, or an absolute rule in
+  CLAUDE.md, please call it out in "Notes for reviewers" below.
+
+Security vulnerabilities should not be filed as PRs — see SECURITY.md.
+-->
+
+## Summary
+
+<!-- 1–3 bullets. What does this change and why. -->
+
+## Linked issues
+
+<!-- e.g. `Closes #123`. If there is no issue, briefly say why. -->
+
+## Type of change
+
+<!-- Delete the ones that don't apply. -->
+
+- feat (new capability)
+- fix (bug fix)
+- docs (documentation only)
+- chore (tooling, deps, repo hygiene)
+- refactor (no behavior change)
+- test (adding or updating tests)
+- ci / infra (build, deploy, hooks)
+
+## Testing
+
+<!--
+What you ran locally. Examples:
+
+- `make test-unit` — 412 passed
+- `make test-contract` — 38 passed
+- Re-ran `make seed-clusters && make seed-es` against a fresh `make up`
+  stack; verified `/healthz` reports `subsystems.elasticsearch_clusters:
+  registered=2, healthy=2`.
+-->
+
+## Notes for reviewers
+
+<!--
+Optional. Things you'd like a reviewer to look at extra-carefully:
+schema decisions, prompt changes, anything that could affect production
+behavior of operator-merged configs, follow-up items you deferred.
+-->
+
+## Checklist
+
+- [ ] Commits are signed off (`git commit -s`) and follow Conventional Commits.
+- [ ] New behavior has tests at every layer it touches (unit / integration / contract / E2E).
+- [ ] Docs updated (`README.md`, `CLAUDE.md`, `state.md`, `architecture.md`, runbooks under `docs/03_runbooks/`) where applicable.
+- [ ] If this changes the spec, the spec was updated first (and the change is referenced above).

.github/workflows/dco.yml

@@ -0,0 +1,56 @@
+name: DCO
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  dco-check:
+    name: DCO sign-off check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Fetch full history so `git log <base>..HEAD` resolves.
+          fetch-depth: 0
+
+      - name: Verify Signed-off-by trailer on every PR commit
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          set -euo pipefail
+
+          BASE="origin/${BASE_REF}"
+          git fetch --quiet origin "${BASE_REF}"
+
+          MISSING=()
+          while IFS= read -r sha; do
+            [[ -z "$sha" ]] && continue
+            # Skip merge commits — their parents already had the check.
+            if [[ $(git rev-list --parents -n 1 "$sha" | awk '{print NF-1}') -gt 1 ]]; then
+              continue
+            fi
+            body=$(git log -1 --format='%B' "$sha")
+            if ! grep -qE '^Signed-off-by: .+ <.+@.+>$' <<< "$body"; then
+              subject=$(git log -1 --format='%s' "$sha")
+              MISSING+=("${sha:0:12}  ${subject}")
+            fi
+          done < <(git rev-list "${BASE}..${HEAD_SHA}")
+
+          if [ "${#MISSING[@]}" -gt 0 ]; then
+            echo "::error::DCO violation. The following commits are missing a Signed-off-by trailer:"
+            printf '  %s\n' "${MISSING[@]}"
+            echo ""
+            echo "Fix locally with:"
+            echo "  git rebase --signoff origin/${BASE_REF}"
+            echo "  git push --force-with-lease"
+            echo ""
+            echo "See CONTRIBUTING.md → Developer Certificate of Origin (DCO)."
+            exit 1
+          fi
+
+          echo "DCO check passed: every commit in ${BASE}..HEAD has a Signed-off-by trailer."

.pre-commit-config.yaml

@@ -143,3 +143,14 @@ repos:
         entry: bash scripts/check-conventional-commit.sh
         language: system
         stages: [commit-msg]
+
+  # ---------------------------------------------------------------------------
+  # DCO sign-off (commit-msg stage) — see CONTRIBUTING.md "Developer Certificate
+  # of Origin (DCO)". CI gate at .github/workflows/dco.yml enforces the same on
+  # every PR; this hook catches the miss locally.
+  # ---------------------------------------------------------------------------
+      - id: dco-signoff
+        name: DCO Signed-off-by trailer check
+        entry: bash scripts/check-dco-signoff.sh
+        language: system
+        stages: [commit-msg]

CLAUDE.md

@@ -101,7 +101,7 @@ scripts/
   install.sh      # auto-generates required + optional secrets, then docker compose up -d
   check-conventional-commit.sh   # commit-msg pre-commit hook
 docs/
-  00_overview/    # umbrella spec (relevance-copilot-spec.md), implemented_features/<YYYY_MM_DD>_<slug>/
+  00_overview/    # umbrella spec (relyloop-spec.md), implemented_features/<YYYY_MM_DD>_<slug>/
   01_architecture/# topical arch docs: tech-stack, system-overview, data-model, deployment, api-conventions, adapters, llm-orchestration, optimization, ui-architecture, agent-tools, apply-path, mvp1-overview
   02_product/     # mvp1-user-stories.md + planned_features/<feature>/
   03_runbooks/    # local-dev.md (and per-feature runbooks as features ship)