[codex] Improve open source documentation governance

CODE_OF_CONDUCT.md

@@ -0,0 +1,23 @@
+# Code of Conduct
+
+## 中文摘要
+
+- 用途：本文档说明 QuantStrategyLab 仓库中的讨论、issue、pull request 和 review 行为规范。
+- 主要覆盖：`Our Standards`、`Project Scope`、`Reporting and Enforcement`。
+- 阅读顺序：参与讨论或提交 PR 前先确认沟通边界；发现不当行为时联系维护者。
+- 风险提示：涉及投资、交易、密钥或实盘系统的讨论必须保持克制、可复现和证据导向。
+
+## Our Standards
+
+- Be respectful, direct, and evidence-oriented in issues, pull requests, reviews, and discussions.
+- Assume technical disagreement is about the work. Keep feedback specific to code, docs, data, evidence, reproducibility, or operational risk.
+- Avoid harassment, insults, discriminatory language, personal attacks, and repeated off-topic comments.
+- Do not pressure maintainers or contributors to disclose private account details, credentials, trading records, unpublished data, or personal information.
+
+## Project Scope
+
+QuantStrategyLab repositories involve research, automation, strategy artifacts, and trading-support systems. Contributions should keep financial claims conservative and verifiable, separate research evidence from live-trading decisions, and avoid presenting examples as investment advice.
+
+## Reporting and Enforcement
+
+Report conduct concerns to the maintainer on GitHub: `@Pigbibi`. Maintainers may edit or remove comments, close issues or pull requests, restrict participation, or take other reasonable steps to protect contributors and project integrity.

CONTRIBUTING.md

@@ -0,0 +1,44 @@
+# Contributing
+
+## 中文摘要
+
+- 用途：本文档说明如何向 `QuantAdvisorResearch` 提交低风险、可审阅的变更。
+- 主要覆盖：`Ground Rules`、`Documentation Standards`、`Branching and Pull Requests`、`Local Verification`。
+- 阅读顺序：先确认仓库边界和变更范围，再运行适合本仓库的本地校验。
+- 风险提示：涉及策略、artifact、自动化、密钥、云资源、券商或交易所行为的变更，必须先用测试环境、dry-run 或只读证据验证；不要只凭示例修改生产。
+- 英文正文保留更完整的命令、字段名和配置键；如果摘要和正文不一致，以正文中的实际命令和配置为准。
+
+Thanks for contributing to `QuantAdvisorResearch`.
+
+## Ground Rules
+
+- Prefer small pull requests with one clear purpose.
+- Keep refactors separate from behavior, contract, workflow, or documentation changes.
+- Preserve this repository's boundary as a research publishing system; do not move broker execution, live-allocation decisions, private credentials, or unrelated platform logic into it.
+- Add or update tests, examples, docs, or reproducible evidence when changing behavior or public contracts.
+
+## Documentation Standards
+
+- Keep `README.md` as the entry point for project purpose, boundary, repository layout, quick start, and links to deeper docs.
+- Put long-form runbooks, artifact contracts, evidence notes, and architecture details under `docs/` when they outgrow the README.
+- Document inputs, outputs, required permissions, risk controls, and validation commands for workflows or scripts that touch external systems.
+- Keep English and Chinese user-facing docs aligned when a change affects operators, contributors, or downstream platform users.
+
+## Branching and Pull Requests
+
+- Create a topic branch for each change.
+- Open a pull request with a concise summary, scope boundary, and concrete validation notes.
+- Wait for CI to pass before merging.
+- Do not include generated artifacts, private data, credentials, account identifiers, or local environment files unless the repository explicitly documents them as public examples.
+
+## Local Verification
+
+Run the lightweight whitespace check for every change and the repository test command when code, contracts, workflows, or examples change:
+
+```bash
+git diff --check
+python -m pip install -e '.[test]'
+python -m pytest -q
+```
+
+For documentation-only changes, at minimum review Markdown links, headings, and bilingual consistency before opening the pull request.

README.md

@@ -42,6 +42,12 @@ python -m pytest -q
 - [`docs/system_design.md`](docs/system_design.md)
 - [`docs/system_design.zh-CN.md`](docs/system_design.zh-CN.md)
 
+## Community and security
+
+- See [CONTRIBUTING.md](CONTRIBUTING.md) for pull request scope, local verification, and documentation expectations.
+- Follow [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) for maintainer and contributor conduct.
+- Report credential, automation, broker, exchange, or cloud-resource vulnerabilities through [SECURITY.md](SECURITY.md); do not open public issues for secrets or live-execution risk.
+
 ## License
 
 See [LICENSE](LICENSE).

README.zh-CN.md

@@ -42,6 +42,12 @@ python -m pytest -q
 - [`docs/system_design.md`](docs/system_design.md)
 - [`docs/system_design.zh-CN.md`](docs/system_design.zh-CN.md)
 
+## 社区和安全
+
+- 贡献前请阅读 [CONTRIBUTING.md](CONTRIBUTING.md)，确认 PR 范围、本地校验和文档要求。
+- 讨论、issue 和 review 请遵守 [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)。
+- 涉及密钥、自动化、券商/交易所或云资源的漏洞请按 [SECURITY.md](SECURITY.md) 私密报告；不要为 secret 或实盘风险开公开 issue。
+
 ## 许可证
 
 详见 [LICENSE](LICENSE)。

SECURITY.md

@@ -0,0 +1,33 @@
+# Security Policy
+
+## 中文摘要
+
+- 用途：本文档说明如何报告 `QuantAdvisorResearch` 的安全问题，以及密钥或凭证暴露时的处理顺序。
+- 主要覆盖：`Reporting a Vulnerability`、`Secret and Credential Exposure`、`Scope Notes`。
+- 阅读顺序：发现问题后先避免公开泄露，再通过私密渠道提供最小复现信息。
+- 风险提示：涉及实盘、密钥、权限、Cloud Run、GitHub Actions、交易所或券商 API 的问题，不要开公开 issue 或贴出敏感日志。
+- 英文正文保留更完整的命令、字段名和配置键；如果摘要和正文不一致，以正文中的实际命令和配置为准。
+
+Thanks for helping keep `QuantAdvisorResearch` safe.
+
+This repository is part of the QuantStrategyLab automation, research, or trading-support surface. Please do **not** open a public issue for vulnerabilities involving credentials, broker or exchange access, cloud resources, workflow tokens, private market data, account identifiers, order execution, or secret material.
+
+## Reporting a Vulnerability
+
+- Contact the maintainer directly at GitHub: `@Pigbibi`.
+- If private vulnerability reporting is enabled for this repository, prefer that channel.
+- Include the repository name, affected commit or branch, environment details, and exact reproduction steps.
+- Share only the minimum logs, payloads, or screenshots needed to reproduce the issue, and redact secrets or account identifiers.
+
+## Secret and Credential Exposure
+
+If you suspect tokens, passwords, API keys, service-account keys, cookies, broker credentials, or workflow credentials were exposed:
+
+1. Rotate the exposed secrets immediately.
+2. Pause scheduled jobs, deployments, or external integrations if the exposure can affect automation, artifact publishing, notifications, or trading behavior.
+3. Remove the exposed material from open pull requests, issues, logs, and artifacts.
+4. Coordinate any required history rewrite or downstream credential update with the maintainer.
+
+## Scope Notes
+
+Security fixes should stay minimal and focused. Please avoid bundling unrelated refactors, formatting churn, research changes, or feature work with a security report or patch.