docs: add OSS community health files

- CONTRIBUTING.md: contributor onboarding, conventional commit rules, local setup
- CODE_OF_CONDUCT.md: adopts Contributor Covenant 2.1 by reference
- SECURITY.md: vulnerability reporting via GitHub private advisories, scope boundaries
- .github/ISSUE_TEMPLATE/config.yml: disables blank issues, links to discussions and Honcho upstream

Lifts the GitHub community profile score from 57% toward 100%.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Honcho upstream issues
+    url: https://github.com/plastic-labs/honcho/issues
+    about: Bugs in the Honcho server itself, not the OpenConcho UI.
+  - name: Question or discussion
+    url: https://github.com/offendingcommit/openconcho/discussions
+    about: General questions, ideas, or design discussion.

CODE_OF_CONDUCT.md

@@ -0,0 +1,13 @@
+# Code of Conduct
+
+This project adopts the [Contributor Covenant, version 2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) as its code of conduct.
+
+The full text is available at the link above.
+
+## Reporting
+
+Report violations to the maintainer at the email address listed on the [GitHub profile of @offendingcommit](https://github.com/offendingcommit). All reports are reviewed and investigated promptly and fairly.
+
+## Scope
+
+This Code of Conduct applies within all project spaces — issues, pull requests, discussions, and any other public or private channel where you represent the project.

CONTRIBUTING.md

@@ -0,0 +1,63 @@
+# Contributing to OpenConcho
+
+Thanks for your interest in helping out. This is a small, focused project — please read this before opening a PR.
+
+## Ground rules
+
+- **Open an issue first** for anything beyond a small fix. Discussion saves wasted work.
+- **Conventional commits** are required (`feat:`, `fix:`, `docs:`, `refactor:`, `test:`, `chore:`). They drive [semantic-release](https://semantic-release.gitbook.io/).
+- **One logical change per PR.** Easier to review, easier to revert.
+
+## Local setup
+
+```bash
+git clone https://github.com/offendingcommit/openconcho.git
+cd openconcho
+pnpm install
+pnpm dev   # web dev server at http://localhost:5173
+```
+
+For desktop work:
+
+```bash
+pnpm --filter @openconcho/desktop dev
+```
+
+## Before opening a PR
+
+```bash
+pnpm lint           # Biome lint
+pnpm typecheck      # tsc --noEmit
+pnpm test           # Vitest
+pnpm build          # full build
+```
+
+All four must pass. CI will block the merge otherwise.
+
+## Coding standards
+
+The full standards live in [`.claude/rules/coding-standards.md`](.claude/rules/coding-standards.md). The short version:
+
+- TypeScript strict mode; no `any`.
+- No hardcoded URLs — connection config lives in `localStorage` under `openconcho:config`.
+- Use CSS variables (`var(--text-1)`) for theme-aware colors, never Tailwind color utilities.
+- Cast TanStack Router `params` as `as never` at navigation callsites.
+- One assertion per test.
+
+## API schema changes
+
+`src/api/schema.d.ts` is generated. Don't edit it by hand — run:
+
+```bash
+pnpm generate:api
+```
+
+…after updating `openapi.json`.
+
+## Reporting bugs
+
+Use the [bug report template](.github/ISSUE_TEMPLATE/bug_report.yml). Include the Honcho version, your OS, and reproduction steps.
+
+## License
+
+By contributing, you agree your contributions are licensed under the [MIT License](LICENSE).

SECURITY.md

@@ -0,0 +1,36 @@
+# Security Policy
+
+## Supported Versions
+
+OpenConcho follows semantic versioning via [semantic-release](https://semantic-release.gitbook.io/). Only the latest minor release on `main` receives security fixes.
+
+| Version | Supported |
+|---------|-----------|
+| latest  | ✅        |
+| older   | ❌        |
+
+## Reporting a Vulnerability
+
+**Please do not open public issues for security reports.**
+
+Use GitHub's [private vulnerability reporting](https://github.com/offendingcommit/openconcho/security/advisories/new) to file a report. Include:
+
+- A description of the issue and its impact
+- Steps to reproduce
+- Affected version(s)
+- Any mitigations you've identified
+
+You should expect an acknowledgement within 72 hours and a fix or status update within 14 days.
+
+## Scope
+
+OpenConcho is a frontend client. It stores connection config (`base URL`, optional `token`) in `localStorage` under the keys `openconcho:config` and `openconcho:theme`. It makes no network requests outside the Honcho instance you configure.
+
+In-scope:
+- XSS, CSRF, or other client-side vulnerabilities in the OpenConcho UI
+- Token leakage from `localStorage` to third parties
+- Build-toolchain supply-chain issues
+
+Out of scope:
+- Vulnerabilities in your own Honcho instance — report those upstream at [plastic-labs/honcho](https://github.com/plastic-labs/honcho)
+- Issues that require physical access to an unlocked device