Add org-wide Security Policy and Code of Conduct

CODE_OF_CONDUCT.md

@@ -0,0 +1,122 @@
+# Contributor Covenant Code of Conduct
+
+This Code of Conduct applies to every repository and community space in the
+[Raven Scout](https://github.com/Raven-Scout) organization.
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a
+harassment-free experience for everyone, regardless of age, body size, visible or invisible
+disability, ethnicity, sex characteristics, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance, race, caste, color, religion,
+or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive,
+and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes, and learning from
+  the experience
+- Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email address, without their
+  explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior
+and will take appropriate and fair corrective action in response to any behavior that they deem
+inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits,
+code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and
+will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is
+officially representing the community in public spaces. Examples of representing our community
+include using an official email address, posting via an official social media account, or acting as
+an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project
+maintainers privately. Because this project does not operate a hosted contact desk, you can reach
+the maintainers confidentially through GitHub — for example, by opening a private report via a
+repository's **Security Advisories** page (which supports confidential messages) or by contacting a
+maintainer through their GitHub profile.
+
+All complaints will be reviewed and investigated promptly and fairly. All community leaders are
+obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for
+any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or
+unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the
+nature of the violation and an explanation of why the behavior was inappropriate. A public apology
+may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people
+involved, including unsolicited interaction with those enforcing the Code of Conduct, for a
+specified period of time. This includes avoiding interactions in community spaces as well as
+external channels like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate
+behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the
+community for a specified period of time. No public or private interaction with the people involved,
+including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this
+period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including
+sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement
+of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder][mozilla].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][faq]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[mozilla]: https://github.com/mozilla/diversity
+[faq]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

SECURITY.md

@@ -0,0 +1,58 @@
+# Security Policy
+
+This policy applies to all repositories in the [Raven Scout](https://github.com/Raven-Scout)
+organization — the Scout Claude Code plugin and the macOS, iOS, and Android apps.
+
+## Supported versions
+
+Scout is an actively developed open-source project. Security fixes are made against the latest
+released version and the `main` branch of each repository. We do not backport fixes to older
+versions; please update to the latest version before reporting.
+
+## Reporting a vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues, pull requests, or
+discussions.**
+
+Instead, report them privately through GitHub's built-in private vulnerability reporting:
+
+1. Go to the affected repository (for example,
+   [scout-plugin](https://github.com/Raven-Scout/scout-plugin)).
+2. Open the **Security** tab → **Report a vulnerability**, or go directly to the repository's
+   **Security Advisories** page and choose **Report a vulnerability**.
+3. Describe the issue with enough detail for us to reproduce it.
+
+If you are unsure which repository is affected, report it on
+[scout-plugin](https://github.com/Raven-Scout/scout-plugin/security/advisories) and we will route
+it.
+
+A helpful report includes:
+
+- the repository and version (or commit) affected;
+- the type of issue and the component involved;
+- step-by-step instructions to reproduce it;
+- the potential impact; and
+- any proof-of-concept, logs, or configuration needed to reproduce it.
+
+## What to expect
+
+Scout is maintained by volunteers, so responses are best-effort rather than bound by a service
+level agreement. We aim to acknowledge a report within a few days, confirm the issue, and keep you
+updated as we work on a fix. We will credit reporters who wish to be named once a fix is released.
+Please give us a reasonable opportunity to address an issue before disclosing it publicly.
+
+## Scope and the things you control
+
+Scout is **local-first**: it runs on your own machine, under your own accounts and credentials,
+and stores everything in local files and your own git history. Because of that, a large part of
+the real security surface is in your hands:
+
+- **Protect your machine and your credentials.** Anyone with access to your computer or your
+  connector tokens can access what Scout can access.
+- **Keep your vault private.** By default the Scout vault lives in local files and your own git
+  history; if you push that history to a remote, treat it as you would any repository that may
+  contain sensitive notes, and avoid committing secrets.
+- **Keep Scout and Claude Code up to date** so you receive the latest fixes.
+
+Reports about how Scout itself handles credentials, data, or third-party integrations are very
+welcome through the private reporting process above.

profile/README.md

@@ -63,4 +63,11 @@ That's the whole system. The native apps are optional surfaces on top — see ea
 
 ---
 
-<p align="center"><sub>Built on <a href="https://claude.com/claude-code">Claude Code</a>.</sub></p>
+<p align="center">
+  <a href="https://raven-scout.github.io/scout-plugin/privacy.html">Privacy</a> ·
+  <a href="https://raven-scout.github.io/scout-plugin/terms.html">Terms</a> ·
+  <a href="https://github.com/Raven-Scout/.github/blob/main/SECURITY.md">Security</a> ·
+  <a href="https://github.com/Raven-Scout/.github/blob/main/CODE_OF_CONDUCT.md">Code of Conduct</a>
+</p>
+
+<p align="center"><sub>Scout is an independent open-source project, not affiliated with Anthropic, Microsoft, or Keboola. Built on <a href="https://claude.com/claude-code">Claude Code</a>.</sub></p>