Add contributing and security guides

Author: ukgorclawbot-stack

CONTRIBUTING.md

@@ -0,0 +1,96 @@
+# Contributing
+
+Thanks for contributing to Telegram Multi-Bot Stack.
+
+## Before You Open a Pull Request
+
+Please keep changes small and focused.
+
+Recommended order:
+
+1. Open an issue first if the change is large or changes architecture
+2. Create a small branch for one topic only
+3. Run the fastest local checks before submitting
+4. Explain what changed and why
+
+## Good First Contributions
+
+These are especially welcome:
+
+- documentation improvements
+- install flow fixes
+- CI fixes
+- configuration generator improvements
+- launchd template fixes
+- health check improvements
+
+## Local Checks
+
+Run these before opening a PR:
+
+```bash
+python3 -m py_compile \
+  bootstrap_bot_stack.py \
+  configure_stack.py \
+  reverse_export_bot_stack.py \
+  make_migration_ready_stack.py \
+  bot.py \
+  group_bot.py \
+  xhs_adapter.py \
+  memory_store.py \
+  routing.py \
+  runners.py \
+  task_registry.py
+
+bash -n install.sh
+bash -n configure.sh
+bash -n apply_stack.sh
+bash -n health_check.sh
+bash -n scripts/shared-memory-write.sh
+zsh -n bootstrap_bot_stack.sh
+zsh -n run_role_bot.sh
+zsh -n run_group_bot.sh
+```
+
+If your change affects generation logic, also run:
+
+```bash
+python3 configure_stack.py
+python3 bootstrap_bot_stack.py --config bot_stack.bootstrap.toml
+python3 reverse_export_bot_stack.py
+python3 make_migration_ready_stack.py
+```
+
+## What Not to Commit
+
+Do not commit:
+
+- real Telegram bot tokens
+- `.bot_tokens.env`
+- local `.env` files with secrets
+- generated runtime logs
+- sqlite runtime files
+- personal machine-specific secret values
+
+The repository already ignores most runtime files. Please double-check anyway.
+
+## Pull Request Checklist
+
+- The change is focused and reviewable
+- README or INSTALL docs were updated if behavior changed
+- No secrets were added
+- Fast local checks passed
+- The PR description explains the user-facing impact
+
+## Style Guidance
+
+- Prefer small diffs over large refactors
+- Keep behavior consistent with the current stack layout
+- Do not introduce unnecessary dependencies
+- Prefer explicit errors and simple scripts
+
+## Security Reports
+
+If you want to report a security issue, do not open a public issue first.
+
+Please follow the process in [SECURITY.md](./SECURITY.md).

README.en.md

@@ -57,6 +57,8 @@ Language:
 - English: [README.en.md](./README.en.md)
 - Chinese install: [INSTALL.md](./INSTALL.md)
 - English install: [INSTALL.en.md](./INSTALL.en.md)
+- Contributing: [CONTRIBUTING.md](./CONTRIBUTING.md)
+- Security: [SECURITY.md](./SECURITY.md)
 
 ## Quick Start
 

README.md

@@ -17,6 +17,8 @@
 - English: [README.en.md](./README.en.md)
 - 中文安装：[INSTALL.md](./INSTALL.md)
 - English install: [INSTALL.en.md](./INSTALL.en.md)
+- 贡献指南：[CONTRIBUTING.md](./CONTRIBUTING.md)
+- 安全说明：[SECURITY.md](./SECURITY.md)
 
 适合这些场景：
 - 团队协作群里的任务拆分和汇报

RELEASE_NOTES_v0.1.4.md

@@ -0,0 +1,25 @@
+# Telegram Multi-Bot Stack v0.1.4
+
+This release makes the public repository more contributor-friendly and safer.
+
+## What's New
+
+- Added `CONTRIBUTING.md`
+- Added `SECURITY.md`
+- Linked both documents from the Chinese and English README files
+
+## Why This Matters
+
+- new contributors now have a clear PR and local-check workflow
+- security-sensitive reports now have a documented path
+- the repository is more complete as a public open-source project
+
+## Quick Start
+
+```bash
+git clone https://github.com/ukgorclawbot-stack/telegram-multi-bot-stack.git
+cd telegram-multi-bot-stack
+bash ./install.sh
+bash ./configure.sh
+bash ./apply_stack.sh
+```

SECURITY.md

@@ -0,0 +1,74 @@
+# Security Policy
+
+## Supported Scope
+
+This project is a local multi-bot orchestration stack for Telegram on macOS.
+
+Security-sensitive areas include:
+
+- token handling
+- local env generation
+- launchd service generation
+- local file permissions
+- memory and runtime state storage
+
+## Please Do Not Report Publicly First
+
+If you discover a security issue, do not open a public issue with exploit details first.
+
+Instead:
+
+1. Prepare a short description
+2. Include reproduction steps if possible
+3. State whether secrets, tokens, or local file access are involved
+4. Report it privately to the maintainer
+
+## What Counts as a Security Issue
+
+Examples:
+
+- token leakage
+- secrets written into generated files or logs
+- unsafe default permissions
+- arbitrary code execution through generated config
+- unsafe path handling that could overwrite unintended files
+- unintended cross-bot memory exposure
+
+## What Usually Does Not Count
+
+Examples:
+
+- general install questions
+- feature requests
+- cosmetic documentation issues
+- requests for new integrations
+
+Those should go through normal issues or pull requests.
+
+## Safe Contribution Rules
+
+When contributing:
+
+- never commit real tokens
+- never paste `.env` secrets into issues or pull requests
+- never include private machine paths that expose sensitive local structure beyond what is necessary
+- prefer sanitized examples and placeholders
+
+## Temporary Mitigation Guidance
+
+If you think secrets may have been exposed:
+
+1. rotate the affected Telegram bot tokens immediately
+2. remove local generated env files if needed
+3. check launchd-generated env files and logs
+4. review `.bot_tokens.env`
+5. re-run local setup with sanitized values
+
+## Local Security Hygiene
+
+Before publishing changes, double-check:
+
+- `.bot_tokens.env` is not staged
+- no runtime sqlite files are staged
+- no generated logs are staged
+- docs use placeholder paths where appropriate