From 16ad03926b31eddde9714a240b1ab8fc2e50d319 Mon Sep 17 00:00:00 2001
From: Mike Odnis <airwolf635@gmail.com>
Date: Fri, 12 Jun 2026 23:10:15 -0400
Subject: [PATCH 1/5] docs(standards): add org engineering standards + restyle
 README template
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Engineering guidelines (docs/standards/):
- README.md      — index, the standard-stack table, enforcement model
- 01-baseline    — Tier 1: required toolchain, hard rules, code shape (all repos)
- 02-languages   — Tier 2: per-language tooling/idioms (TS, Py, C#, Rust, C/C++, sh, SQL, md/json/yaml)
- 03-safety-overlay — Tier 3: JSF AV C++ / MISRA / NASA Power of Ten for device- & flight-adjacent code
- 04-security    — security overlay (OWASP/CERT, secrets, web headers, crypto/auth)
Linked from README.md and CONTRIBUTING.md (new "Engineering standards" section).

CONTRIBUTING onboarding: collapse the two-curl flow to the single
`curl -fsSL https://get.resq.software | sh` (install.sh does CLI + hooks).

README template restyle (editorial / centered):
- one centered hero <div> — mark, title, tagline, calm flat badge row
  (logos + the ResQ sky accent 0ea5e9), single nav line, ◆ divider.
- new ## Stats section: Repobeats activity embed + contrib.rocks avatars.
- TOC updated; all internal links verified to resolve.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 CONTRIBUTING.md                     |  27 +++++--
 README.md                           |   1 +
 README.template.md                  | 117 +++++++++++++---------------
 docs/standards/01-baseline.md       |  69 ++++++++++++++++
 docs/standards/02-languages.md      | 101 ++++++++++++++++++++++++
 docs/standards/03-safety-overlay.md |  84 ++++++++++++++++++++
 docs/standards/04-security.md       |  60 ++++++++++++++
 docs/standards/README.md            |  66 ++++++++++++++++
 8 files changed, 453 insertions(+), 72 deletions(-)
 create mode 100644 docs/standards/01-baseline.md
 create mode 100644 docs/standards/02-languages.md
 create mode 100644 docs/standards/03-safety-overlay.md
 create mode 100644 docs/standards/04-security.md
 create mode 100644 docs/standards/README.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 789ab57..6125bd4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,17 +4,13 @@ Thanks for your interest. This guide applies to every repository under [`resq-so
 
 ## Onboarding
 
-Two curls get you from a bare machine to a working ResQ dev loop:
+One curl gets you from a bare machine to a working ResQ dev loop:
 
 ```bash
-# 1. Install the `resq` CLI (SHA-verified release binary, cargo fallback)
-curl -fsSL https://raw.githubusercontent.com/resq-software/dev/main/scripts/install-resq.sh | sh
-
-# 2. Inside a cloned ResQ repo, install the canonical git hooks
-cd <repo> && curl -fsSL https://raw.githubusercontent.com/resq-software/dev/main/scripts/install-hooks.sh | sh
+curl -fsSL https://get.resq.software | sh
 ```
 
-The second script installs six hooks (pre-commit, commit-msg, prepare-commit-msg, pre-push, post-checkout, post-merge) that delegate to `resq pre-commit`. It also offers to scaffold a repo-type-aware `local-pre-push` (Rust / Python / Node / .NET / C++ / Nix).
+This installs the SHA256-verified `resq` CLI (with a `cargo install --git` fallback), optionally clones a repo, and — when run inside a repo — installs the canonical git hooks: six hooks (pre-commit, commit-msg, prepare-commit-msg, pre-push, post-checkout, post-merge) that delegate to `resq pre-commit`, plus an offer to scaffold a repo-type-aware `local-pre-push` (Rust / Python / Node / .NET / C++ / Nix).
 
 Full contract: [`resq-software/dev/AGENTS.md#git-hooks`](https://github.com/resq-software/dev/blob/main/AGENTS.md#git-hooks).
 
@@ -57,6 +53,23 @@ resq hooks doctor         # report drift between installed and canonical hooks
 resq hooks update         # rewrite installed hooks from embedded templates
 ```
 
+## Engineering standards
+
+Org-wide code standards live in [`docs/standards/`](./docs/standards/) — a
+three-tier model:
+
+- [**Tier 1 — Baseline**](./docs/standards/01-baseline.md): required toolchain,
+  hard rules, code shape (every repo).
+- [**Tier 2 — Language enforcement**](./docs/standards/02-languages.md): per-language
+  tooling and idioms (TS, Python, C#, Rust, C/C++, Shell, SQL, …).
+- [**Tier 3 — Safety overlay**](./docs/standards/03-safety-overlay.md): JSF / MISRA /
+  NASA Power of Ten for device- and flight-adjacent code.
+- [**Security overlay**](./docs/standards/04-security.md): untrusted input, secrets,
+  auth, crypto.
+
+Per-repo specifics (commands, architecture, deliberate deviations) still live in
+each repo's `AGENTS.md`.
+
 ## Opening a PR
 
 1. Branch from the default branch; name it per the pattern above.
diff --git a/README.md b/README.md
index dc6be36..c0ef89b 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@ Organization-wide community health files, issue/PR templates, and the public pro
 | `profile/README.md` | The org profile shown at [github.com/resq-software](https://github.com/resq-software) |
 | `assets/` | Shared assets (banner, logo) used across org READMEs |
 | `README.template.md` | Standardized README template for new ResQ repositories |
+| [`docs/standards/`](docs/standards/) | Org-wide engineering standards — the three-tier model (baseline, per-language, safety overlay) + security overlay |
 
 ### Community Health Files
 
diff --git a/README.template.md b/README.template.md
index 3e69273..c8f37ea 100644
--- a/README.template.md
+++ b/README.template.md
@@ -16,86 +16,52 @@
   ═══════════════════════════════════════════════════════════════════
 -->
 
-<!-- BANNER: 1200×300 recommended. Store in assets/banner.png or skip entirely -->
-<p align="center">
-  <img src="assets/banner.png" alt="{{PROJECT_NAME}} Banner" width="100%" />
-</p>
+<!-- ─────────────────────────────────────────────────────────────────────
+     HERO — editorial / centered. Keep it calm: a mark, the name, one line,
+     a short badge row, a single nav line. Everything lives inside one
+     centered <div>. The "ResQ README Template" marker comment above must
+     stay (org tooling checks for it).
+     ───────────────────────────────────────────────────────────────────── -->
+<div align="center" markdown="1">
+
+<!-- MARK: a square logo (~96–120px, assets/logo.png) reads cleaner in this
+     centered layout than a wide banner. Swap src/width for a 1200×300
+     banner if you prefer one. -->
+<img src="assets/banner.png" alt="{{PROJECT_NAME}}" width="120" />
 
 <h1 align="center">{{PROJECT_NAME}}</h1>
 
-<!-- TAGLINE: one sentence. What it is and who it's for. -->
-<p align="center">
-  {{ONE_LINE_DESCRIPTION}}
-</p>
-
-<!--
-  BADGES — keep this row short (4–6 max).
-  Delete the blocks that don't apply. The correct URL pattern per ecosystem:
+<p align="center"><em>{{ONE_LINE_DESCRIPTION}}</em></p>
 
-  ── CI (all projects) ───────────────────────────────────────────────
-  https://img.shields.io/github/actions/workflow/status/resq-software/{{REPO}}/ci.yml?branch=main
+<!-- BADGES — keep to 4–6. Pick ONE version badge for your ecosystem and
+     delete the rest. `flat` + a logo + the ResQ sky accent (0ea5e9) keeps
+     the row quiet and consistent. Blank lines around this block are load-
+     bearing: they let GitHub render the Markdown badges inside the <div>. -->
 
-  ── Version ─────────────────────────────────────────────────────────
-  npm:      https://img.shields.io/npm/v/{{NPM_PACKAGE}}
-  crates:   https://img.shields.io/crates/v/{{CRATE_NAME}}
-  PyPI:     https://img.shields.io/pypi/v/{{PYPI_PACKAGE}}
-  NuGet:    https://img.shields.io/nuget/v/{{NUGET_PACKAGE}}
-
-  ── Coverage ─────────────────────────────────────────────────────────
-  https://codecov.io/gh/resq-software/{{REPO}}/graph/badge.svg
-
-  ── License (Apache-2.0, all ResQ projects) ─────────────────────────
-  https://img.shields.io/badge/license-Apache--2.0-blue.svg
--->
-<p align="center">
-  <!-- CI -->
-  <a href="https://github.com/resq-software/{{REPO}}/actions/workflows/ci.yml">
-    <img src="https://img.shields.io/github/actions/workflow/status/resq-software/{{REPO}}/ci.yml?branch=main&label=ci&style=flat-square" alt="CI" />
-  </a>
-  <!-- Version — pick ONE block below based on ecosystem, delete the rest -->
-  <!-- npm -->
-  <a href="https://www.npmjs.com/package/{{NPM_PACKAGE}}">
-    <img src="https://img.shields.io/npm/v/{{NPM_PACKAGE}}?style=flat-square&label=npm" alt="npm version" />
-  </a>
-  <!-- crates.io -->
-  <a href="https://crates.io/crates/{{CRATE_NAME}}">
-    <img src="https://img.shields.io/crates/v/{{CRATE_NAME}}?style=flat-square" alt="crates.io" />
-  </a>
-  <!-- PyPI -->
-  <a href="https://pypi.org/project/{{PYPI_PACKAGE}}/">
-    <img src="https://img.shields.io/pypi/v/{{PYPI_PACKAGE}}?style=flat-square" alt="PyPI" />
-  </a>
-  <!-- NuGet -->
-  <a href="https://www.nuget.org/packages/{{NUGET_PACKAGE}}">
-    <img src="https://img.shields.io/nuget/v/{{NUGET_PACKAGE}}?style=flat-square" alt="NuGet" />
-  </a>
-  <!-- Coverage -->
-  <a href="https://codecov.io/gh/resq-software/{{REPO}}">
-    <img src="https://codecov.io/gh/resq-software/{{REPO}}/graph/badge.svg" alt="Coverage" />
-  </a>
-  <!-- License -->
-  <a href="./LICENSE">
-    <img src="https://img.shields.io/badge/license-Apache--2.0-blue.svg?style=flat-square" alt="License: Apache-2.0" />
-  </a>
-  <!-- Stars -->
-  <a href="https://github.com/resq-software">
-    <img src="https://img.shields.io/github/stars/resq-software.svg?color=gold&style=flat-square&label=Total%20Stars" alt="Total Stars" />
-  </a>
-</p>
+[![CI](https://img.shields.io/github/actions/workflow/status/resq-software/{{REPO}}/ci.yml?branch=main&style=flat&logo=githubactions&logoColor=white&label=ci&color=0ea5e9)](https://github.com/resq-software/{{REPO}}/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/{{NPM_PACKAGE}}?style=flat&logo=npm&label=npm&color=0ea5e9)](https://www.npmjs.com/package/{{NPM_PACKAGE}})
+[![crates.io](https://img.shields.io/crates/v/{{CRATE_NAME}}?style=flat&logo=rust&logoColor=white&color=0ea5e9)](https://crates.io/crates/{{CRATE_NAME}})
+[![PyPI](https://img.shields.io/pypi/v/{{PYPI_PACKAGE}}?style=flat&logo=pypi&logoColor=white&color=0ea5e9)](https://pypi.org/project/{{PYPI_PACKAGE}}/)
+[![NuGet](https://img.shields.io/nuget/v/{{NUGET_PACKAGE}}?style=flat&logo=nuget&logoColor=white&color=0ea5e9)](https://www.nuget.org/packages/{{NUGET_PACKAGE}})
+[![Coverage](https://codecov.io/gh/resq-software/{{REPO}}/graph/badge.svg)](https://codecov.io/gh/resq-software/{{REPO}})
+[![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-0ea5e9?style=flat)](./LICENSE)
 
-<!-- NAV ROW — quick links. Keep it to one line; drop entries that don't apply. -->
 <p align="center">
   <a href="https://docs.resq.software"><b>Documentation</b></a>
   &nbsp;·&nbsp;
   <a href="https://resq.software"><b>Website</b></a>
   &nbsp;·&nbsp;
-  <a href="#quick-start"><b>Quick Start</b></a>
+  <a href="#quick-start"><b>Quick&nbsp;Start</b></a>
   &nbsp;·&nbsp;
-  <a href="https://github.com/resq-software/{{REPO}}/issues/new/choose"><b>Report Bug</b></a>
+  <a href="https://github.com/resq-software/{{REPO}}/issues/new/choose"><b>Report&nbsp;Bug</b></a>
   &nbsp;·&nbsp;
-  <a href="https://github.com/resq-software/{{REPO}}/issues/new/choose"><b>Request Feature</b></a>
+  <a href="https://github.com/resq-software/{{REPO}}/issues/new/choose"><b>Request&nbsp;Feature</b></a>
 </p>
 
+</div>
+
+<p align="center">◆&nbsp;&nbsp;&nbsp;◆&nbsp;&nbsp;&nbsp;◆</p>
+
 ---
 
 <!-- TABLE OF CONTENTS: include when the README is longer than ~150 lines -->
@@ -115,6 +81,7 @@
 - [Changelog](#changelog)
 - [License](#license)
 - [Acknowledgements](#acknowledgements)
+- [Stats](#stats)
 
 ---
 
@@ -385,6 +352,26 @@ Licensed under the [Apache License, Version 2.0](./LICENSE).
 
 ---
 
+## Stats
+
+<!-- Repobeats renders a live activity panel (commits, PRs, issues,
+     contributors) as a single SVG. Generate the embed URL for THIS repo at
+     https://repobeats.axiom.co — paste the per-repo hash below. Delete this
+     section for private repos or where activity stats aren't useful. -->
+
+<div align="center">
+
+![{{PROJECT_NAME}} activity](https://repobeats.axiom.co/api/embed/{{REPOBEATS_HASH}}.svg "Repobeats analytics image")
+
+<!-- Contributor avatars — auto-generated, no setup beyond the repo path. -->
+<a href="https://github.com/resq-software/{{REPO}}/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=resq-software/{{REPO}}" alt="Contributors" />
+</a>
+
+</div>
+
+---
+
 <!--
   ═══════════════════════════════════════════════════════════════════
   AUTOMATION REFERENCE — delete this section before publishing
diff --git a/docs/standards/01-baseline.md b/docs/standards/01-baseline.md
new file mode 100644
index 0000000..dc8606e
--- /dev/null
+++ b/docs/standards/01-baseline.md
@@ -0,0 +1,69 @@
+# Tier 1 — Repo-wide Baseline
+
+Applies to **every** repository, regardless of language. If a repo can't meet a
+baseline rule, that's a written deviation in its `AGENTS.md`, not a silent skip.
+
+## Required toolchain
+
+Every repo must have, wired into CI via the org `required` check:
+
+- **Formatter** — runs in CI in check mode; no unformatted code on `main`.
+- **Linter** — runs in CI; warnings are errors in CI (`-D warnings`-style).
+- **Type checker** — where the language has one (TS, Python, C#); enabled in
+  strict mode.
+- **Tests** — for any non-trivial logic. New behavior ships with a test.
+- **Security scan** — the org `security-scan.yml` (CodeQL/OSV/Dependency Review/
+  zizmor/actionlint, opt-in Gitleaks/Semgrep/Snyk).
+
+## Hard rules
+
+```text
+No secrets in code.            Use env vars or a secret manager; validate at startup.
+No unchecked external input.   Validate at every trust boundary; fail closed.
+No unbounded retries.          Every retry loop has a max attempt count + backoff.
+No missing timeouts.           Every network / IO call has an explicit timeout.
+No silent catch/except.        Handle, wrap, or propagate — never swallow.
+No TODOs in production paths.  Unless linked to a tracked issue.
+No hand-edited generated files. Regenerate; edit the source/template.
+No mutation where avoidable.   Prefer immutable data; localize necessary mutation.
+```
+
+## Code shape
+
+These are defaults; languages may override in [Tier 2](./02-languages.md) where
+idioms differ (e.g. Go pointer receivers).
+
+- **Functions** focused — aim < 50 lines; extract when responsibilities stack.
+- **Files** cohesive — 200–400 lines typical, 800 max; many small files over few
+  large ones.
+- **Nesting** shallow — prefer early returns over > 4 levels of nesting.
+- **Names** descriptive — `camelCase`/`snake_case` per language; booleans read as
+  `is`/`has`/`should`/`can`; constants `UPPER_SNAKE_CASE`.
+- **No magic numbers** — name meaningful thresholds, delays, limits.
+
+## Errors & logging
+
+- Handle errors explicitly at every layer; user-facing messages stay friendly,
+  server-side logs carry the detail.
+- Structured logs (key/value or JSON), not `print`-debugging left in.
+- Never leak secrets, tokens, or PII into logs or error messages.
+
+## Repository hygiene
+
+Enforced by [`repo-standards.yml`](../../.github/workflows/repo-standards.yml):
+
+- A detectable `LICENSE` (Apache-2.0 unless a repo declares otherwise).
+- A real `README.md` — start from [`README.template.md`](../../README.template.md);
+  no leftover `{{PLACEHOLDER}}` tokens.
+- Org community-health files (`CONTRIBUTING`, `SECURITY`, `CODE_OF_CONDUCT`,
+  `SUPPORT`) are inherited org-wide from this repo — don't duplicate unless
+  overriding.
+- Conventional Commits + the branch-name pattern (see [`CONTRIBUTING.md`](../../CONTRIBUTING.md)).
+
+## Definition of done
+
+- [ ] Formatter, linter, type-checker, tests, security scan green (`required` ✓)
+- [ ] No secrets, no swallowed errors, no unbounded loops/timeouts
+- [ ] New behavior covered by tests
+- [ ] Public API / behavior change reflected in docs and CHANGELOG
+- [ ] Any standards deviation documented in `AGENTS.md`
diff --git a/docs/standards/02-languages.md b/docs/standards/02-languages.md
new file mode 100644
index 0000000..92daeb0
--- /dev/null
+++ b/docs/standards/02-languages.md
@@ -0,0 +1,101 @@
+# Tier 2 — Language Enforcement
+
+Per-language tooling and idioms. A repo's `lang` custom property selects which
+section applies; polyglot repos apply every relevant section. These extend
+[Tier 1](./01-baseline.md) and override it where the language idiom differs.
+
+---
+
+## TypeScript
+
+The most important move is **strictness**, not style.
+
+- `tsconfig.json` extends a strict base:
+  ```jsonc
+  {
+    "compilerOptions": {
+      "strict": true,
+      "noImplicitOverride": true,
+      "noUncheckedIndexedAccess": true,
+      "exactOptionalPropertyTypes": true,
+      "noFallthroughCasesInSwitch": true
+    }
+  }
+  ```
+- No `any`. Use `unknown` at trust boundaries and narrow.
+- Validate all external data (API responses, env, user input) with Zod / Valibot
+  / TypeBox before it enters typed code.
+- Lint with [typescript-eslint](https://typescript-eslint.io/) recommended +
+  type-checked configs. Format with Prettier/Biome. Base style: Google TS guide.
+
+## JavaScript (legacy / scripts / Node tooling)
+
+- ESLint recommended; prefer migrating to TypeScript when a file grows logic.
+- Google JS style guide as the base; prefer ESM.
+
+## Python
+
+- [PEP 8](https://peps.python.org/pep-0008/) + [PEP 257](https://peps.python.org/pep-0257/) baseline; Google Python style for structure.
+- Tooling: **Ruff** (lint + format), **Pyright** or **mypy** (strict), **pytest**,
+  **Bandit** (SAST), **pip-audit** (deps). Manage with **uv**.
+- Type-hint public functions; `from __future__ import annotations` where helpful.
+
+## C\#
+
+- [Microsoft .NET coding conventions](https://learn.microsoft.com/dotnet/csharp/fundamentals/coding-style/coding-conventions); Google C# guide only when aligning a polyglot repo to Google style.
+- `dotnet format` + `.editorconfig`; `<Nullable>enable</Nullable>`; treat warnings
+  as errors where practical; Roslyn analyzers (`Microsoft.CodeAnalysis.NetAnalyzers`).
+- Prefer `async`/`await` end-to-end; no `.Result`/`.Wait()` deadlock traps.
+
+## Rust
+
+Discipline is mostly compiler-enforced.
+
+```text
+cargo fmt --check
+cargo clippy -- -D warnings
+cargo test
+cargo audit
+cargo deny check
+#![forbid(unsafe_code)]   // where the crate allows it
+```
+
+- Follow the [Rust API Guidelines](https://github.com/rust-lang/api-guidelines)
+  for public surfaces.
+- Treat every `unsafe` block as a mini C island: document the invariants,
+  isolate it, review it, test it, fuzz it. See [Tier 3](./03-safety-overlay.md).
+
+## C / C++
+
+Tooling baseline; the analyzability rules live in [Tier 3](./03-safety-overlay.md).
+
+- `clang-format` + `clang-tidy`; build clean at `-Wall -Wextra -Werror`.
+- Sanitizers (ASan/UBSan/TSan) in test builds; static analysis in CI.
+- C++: modern, RAII, smart pointers, STL; avoid raw `new`/`delete`, RTTI-heavy
+  designs, and clever template metaprogramming without a systems reason.
+
+## Shell
+
+- [Google Shell Style Guide](https://google.github.io/styleguide/shellguide.html);
+  **ShellCheck** clean. `set -euo pipefail` (bash) / `set -eu` (POSIX sh).
+- Quote every expansion. Prefer `printf` over `echo` for data. Bound every loop.
+
+## SQL
+
+- **SQLFluff** for lint/format; consistent naming (snake_case tables/columns).
+- Parameterized queries only — never string-concatenate user input.
+- Migrations are forward-only and reviewed; every query that can grow is bounded
+  (`LIMIT`, pagination).
+
+## Markdown / JSON / YAML
+
+- Prettier (md/json/yaml) + **yamllint**; Google Markdown guide for docs.
+- Workflow YAML: **actionlint** + **zizmor** (already in `security-scan.yml`).
+
+---
+
+## Release & versioning
+
+Conventional Commits drive versioning. Per-ecosystem tooling (release-it, PSR,
+cargo-release/release-plz, MinVer) is documented in the
+[README template's automation appendix](../../README.template.md).
diff --git a/docs/standards/03-safety-overlay.md b/docs/standards/03-safety-overlay.md
new file mode 100644
index 0000000..46410a1
--- /dev/null
+++ b/docs/standards/03-safety-overlay.md
@@ -0,0 +1,84 @@
+# Tier 3 — Safety / Critical Overlay
+
+For code where undefined behavior, memory safety, timing, or hardware control
+actually matter: C/C++ firmware, robotics, flight-style software, and any Rust
+that drops to `unsafe` or drives a device. Adopt these on top of
+[Tier 2](./02-languages.md). For prototypes, apply the high-value subset
+(bounded loops, explicit error handling, memory discipline, small functions,
+static analysis, reproducible builds); move toward full compliance as code
+approaches sensor/actuator-adjacent or unattended deployment.
+
+> **JSF** here is **Joint Strike Fighter Air Vehicle C++**, not JavaServer Faces.
+
+## Standards by use case
+
+**C++ systems / embedded / robotics / flight-style**, in priority order:
+
+1. [JSF AV C++](https://www.stroustrup.com/JSF-AV-rules.pdf) — restrict C++ to a
+   safer, analyzable subset.
+2. [MISRA C++](https://www.misra.org.uk/) — widely-adopted analyzable subset.
+3. [NASA/JPL Power of Ten](https://spinroot.com/gerard/pdf/P10.pdf) — ten rules
+   for reviewable, bounded code.
+4. NPR 7150.2D — lifecycle/process discipline.
+5. NASA-STD-8739.8 — software assurance mindset.
+
+**C projects:** MISRA C → Power of Ten → NPR 7150.2D → NASA-STD-8739.8.
+
+## The Power of Ten (daily driver)
+
+```text
+1.  No unbounded recursion.
+2.  No unbounded loops — every loop has a statically provable upper bound.
+3.  No dynamic allocation after initialization in critical paths.
+4.  Keep functions small — one printed page; one responsibility.
+5.  Assert liberally — aim for meaningful runtime checks on every function.
+6.  Declare data at the smallest possible scope.
+7.  Check every return value; check every parameter at entry.
+8.  Limit the preprocessor to includes and simple macros.
+9.  Restrict pointer use; no more than one level of dereference; no function
+    pointers in critical paths.
+10. Compile with all warnings on, zero warnings, plus static analysis.
+```
+
+## Additional constraints (C/C++)
+
+```text
+No goto / setjmp / longjmp.
+Use explicit ownership; document who frees what.
+Avoid exceptions in embedded / safety-critical paths.
+Avoid RTTI and deep / virtual inheritance.
+Prefer compile-time bounds and constants over runtime checks where possible.
+Prefer static analysis + sanitizers + tests over review alone.
+Document every deviation from the standard, with rationale and mitigation.
+```
+
+## Rust in this tier
+
+Rust gives you most of the above for free — keep it that way:
+
+- `#![forbid(unsafe_code)]` by default; if a crate genuinely needs `unsafe`,
+  scope it to a small, audited module with `// SAFETY:` invariants on every block.
+- Bound loops and channels; set explicit timeouts; avoid unbounded queues.
+- Fuzz (`cargo fuzz`) and property-test (`proptest`) the `unsafe` and
+  protocol-parsing surfaces.
+- No `panic!`/`unwrap`/`expect` in device-control or unattended paths — return
+  `Result` and handle deterministically.
+
+## Operational discipline (unattended / device-adjacent)
+
+```text
+Bound all loops/retries; add explicit timeouts.
+Validate all inputs; use typed config schemas.
+Fail closed for auth / security / safety decisions.
+Prefer immutable data; minimize global mutable state.
+Structured logs + health checks + a rollback path.
+Document operational assumptions and the threat model.
+```
+
+## Verification expectations
+
+- Static analysis (clang-tidy/cppcheck/MISRA checker, Clippy) clean in CI.
+- Sanitizer-enabled test builds (ASan/UBSan/TSan).
+- Reproducible builds; pinned toolchains.
+- Traceability for safety-relevant requirements (NPR 7150.2D-style): requirement
+  → code → test, recorded in the repo.
diff --git a/docs/standards/04-security.md b/docs/standards/04-security.md
new file mode 100644
index 0000000..77f24e6
--- /dev/null
+++ b/docs/standards/04-security.md
@@ -0,0 +1,60 @@
+# Security Overlay
+
+Applies to anything handling untrusted input, secrets, authentication, payments,
+PII, or cryptography — i.e. most of the platform. Composes with all three tiers.
+This is the day-to-day checklist; the disclosure process lives in
+[`SECURITY.md`](../../SECURITY.md).
+
+## Pre-merge checklist
+
+```text
+[ ] No hardcoded secrets (API keys, passwords, tokens).
+[ ] All user input validated at the boundary (schema-based where possible).
+[ ] SQL: parameterized queries only — no string concatenation.
+[ ] XSS: output encoded; no unsanitized HTML injection.
+[ ] CSRF protection on state-changing requests.
+[ ] AuthN/AuthZ verified on every protected path; fail closed.
+[ ] Rate limiting on public / abusable endpoints.
+[ ] Error messages don't leak secrets, stack traces, or PII.
+```
+
+## Secret management
+
+- Never hardcode secrets. Use environment variables or a secret manager.
+- Validate required secrets are present at startup; fail fast if missing.
+- Rotate anything that may have been exposed; treat exposure as an incident.
+- GitHub native secret scanning + push protection are on; CI runs OSV/Dependency
+  Review, with opt-in Gitleaks/Semgrep/Snyk (see
+  [`security-scan.yml`](../../.github/workflows/README.md)).
+
+## Reference standards
+
+- [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/)
+  and the [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/) for
+  application security requirements.
+- **CERT** secure coding standards for C/C++/Java.
+- **Semgrep** for custom org rules; **CodeQL** for SAST (GitHub default setup).
+
+## Web specifics
+
+For browser-facing surfaces, in addition to the checklist:
+
+- A production **Content-Security-Policy** (prefer per-request nonces over
+  `'unsafe-inline'`).
+- Security headers: `Strict-Transport-Security`, `X-Content-Type-Options: nosniff`,
+  `X-Frame-Options: DENY`, `Referrer-Policy: strict-origin-when-cross-origin`,
+  a restrictive `Permissions-Policy`.
+- SRI for third-party CDN scripts; prefer self-hosting critical dependencies.
+
+## Crypto & auth
+
+- Use vetted libraries; never roll your own primitives.
+- Constant-time comparisons for secrets/tokens.
+- Short-lived, scoped tokens; verify signatures and audiences.
+- OAuth2/OIDC for delegated auth; validate `iss`/`aud`/`exp`.
+
+## Incident response
+
+If you find a security issue mid-work: **stop**, fix the critical issue before
+continuing, rotate any exposed secret, and sweep the codebase for the same
+pattern. Report per [`SECURITY.md`](../../SECURITY.md) — never via a public issue.
diff --git a/docs/standards/README.md b/docs/standards/README.md
new file mode 100644
index 0000000..c2033b1
--- /dev/null
+++ b/docs/standards/README.md
@@ -0,0 +1,66 @@
+# ResQ Engineering Standards
+
+The org-wide engineering constitution for [`resq-software`](https://github.com/resq-software).
+These standards apply to **every** repository unless a repo's own `AGENTS.md`
+documents a deliberate, written deviation.
+
+> **Philosophy.** Style guides make code *consistent*. Secure-coding standards
+> prevent *bug classes*. Safety-critical standards make behavior *analyzable*.
+> We apply each at the altitude it earns: boring-and-typed everywhere,
+> aerospace-grade only where undefined behavior, memory safety, timing, or
+> hardware control actually matter.
+
+## The three tiers
+
+Standards are layered. Every repo gets Tier 1. Tier 2 is selected by the repo's
+`lang` custom property. Tier 3 is reserved for code that touches physical
+devices, telemetry, auth, crypto, or runs unattended.
+
+| Tier | Scope | Document |
+|------|-------|----------|
+| **1 — Baseline** | Every repo, every language | [`01-baseline.md`](./01-baseline.md) |
+| **2 — Language enforcement** | Per-language tooling & idioms | [`02-languages.md`](./02-languages.md) |
+| **3 — Safety/critical overlay** | C/C++/Rust, device- & flight-adjacent | [`03-safety-overlay.md`](./03-safety-overlay.md) |
+| **Security overlay** | Anything handling untrusted input, secrets, or auth | [`04-security.md`](./04-security.md) |
+
+## The standard stack
+
+| Area | Standard |
+|------|----------|
+| General code quality | [Google Style Guides](https://google.github.io/styleguide/) |
+| TypeScript / JS | `strict` mode + [typescript-eslint](https://typescript-eslint.io/) |
+| Python | [PEP 8](https://peps.python.org/pep-0008/) + Ruff + Pyright |
+| C# | [Microsoft .NET conventions](https://learn.microsoft.com/dotnet/csharp/fundamentals/coding-style/coding-conventions) + analyzers |
+| Rust | rustfmt + Clippy + [Rust API Guidelines](https://github.com/rust-lang/api-guidelines) |
+| C / C++ | [JSF AV C++](https://www.stroustrup.com/JSF-AV-rules.pdf) + [MISRA](https://www.misra.org.uk/) + CERT + [Power of Ten](https://spinroot.com/gerard/pdf/P10.pdf) |
+| Security | [OWASP ASVS / Cheat Sheets](https://owasp.org/), CERT, Semgrep |
+| Critical-systems mindset | NASA/JPL Power of Ten, NPR 7150.2D-style traceability |
+| Documentation | Google Markdown + ADRs + runbooks + the [README template](../../README.template.md) |
+| CI enforcement | the org-wide `required` status check ([`.github/workflows/required.yml`](../../.github/workflows/required.yml)) |
+
+## Rules of thumb
+
+- **Normal apps:** Google style + formatter + linter + tests.
+- **Backend / platform:** add type-checking, static analysis, dependency
+  scanning, structured errors, observability.
+- **Edge / embedded / security-sensitive:** add the Tier 3 overlay — bounded
+  execution, no cleverness, explicit ownership, deterministic failure,
+  documented deviations.
+
+## How this is enforced
+
+- **Mechanically, today:** formatter + linter + type-checker + security scan run
+  in CI via the reusable [`required.yml`](../../.github/workflows/required.yml)
+  workflow; [`repo-standards.yml`](../../.github/workflows/repo-standards.yml)
+  checks LICENSE/README/template conformance. Both feed the single `required`
+  status check gated by the org ruleset `default-branch-baseline`.
+- **By review:** PR reviewers (human + CodeRabbit/Gemini/GHAS) check Tier 2/3
+  adherence that tooling can't express.
+- **By convention:** anything not yet machine-checkable lives here as a written
+  rule. Cite the rule in review; file an issue to automate it.
+
+## Deviations
+
+Deviating is allowed when there's a clear systems-level reason. Record it:
+document the rule waived, why, and the compensating control in the repo's
+`AGENTS.md` (or an ADR under `docs/adr/`). An undocumented deviation is a bug.

From e6a030a995eb363dce2ebc3be4ea9f89afdbd77f Mon Sep 17 00:00:00 2001
From: Mike Odnis <mike@mikeodnis.dev>
Date: Fri, 12 Jun 2026 23:12:53 -0400
Subject: [PATCH 2/5] Update README.template.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: Mike Odnis <mike@mikeodnis.dev>
---
 README.template.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.template.md b/README.template.md
index c8f37ea..bb72830 100644
--- a/README.template.md
+++ b/README.template.md
@@ -27,7 +27,7 @@
 <!-- MARK: a square logo (~96–120px, assets/logo.png) reads cleaner in this
      centered layout than a wide banner. Swap src/width for a 1200×300
      banner if you prefer one. -->
-<img src="assets/banner.png" alt="{{PROJECT_NAME}}" width="120" />
+<img src="assets/logo.png" alt="{{PROJECT_NAME}}" width="120" />
 
 <h1 align="center">{{PROJECT_NAME}}</h1>
 

From 3209caac89a15b422f8ffbd8f860f077c0ced796 Mon Sep 17 00:00:00 2001
From: Mike Odnis <mike@mikeodnis.dev>
Date: Fri, 12 Jun 2026 23:13:07 -0400
Subject: [PATCH 3/5] Update docs/standards/04-security.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: Mike Odnis <mike@mikeodnis.dev>
---
 docs/standards/04-security.md | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/docs/standards/04-security.md b/docs/standards/04-security.md
index 77f24e6..bd649e0 100644
--- a/docs/standards/04-security.md
+++ b/docs/standards/04-security.md
@@ -7,16 +7,14 @@ This is the day-to-day checklist; the disclosure process lives in
 
 ## Pre-merge checklist
 
-```text
-[ ] No hardcoded secrets (API keys, passwords, tokens).
-[ ] All user input validated at the boundary (schema-based where possible).
-[ ] SQL: parameterized queries only — no string concatenation.
-[ ] XSS: output encoded; no unsanitized HTML injection.
-[ ] CSRF protection on state-changing requests.
-[ ] AuthN/AuthZ verified on every protected path; fail closed.
-[ ] Rate limiting on public / abusable endpoints.
-[ ] Error messages don't leak secrets, stack traces, or PII.
-```
+- [ ] No hardcoded secrets (API keys, passwords, tokens).
+- [ ] All user input validated at the boundary (schema-based where possible).
+- [ ] SQL: parameterized queries only — no string concatenation.
+- [ ] XSS: output encoded; no unsanitized HTML injection.
+- [ ] CSRF protection on state-changing requests.
+- [ ] AuthN/AuthZ verified on every protected path; fail closed.
+- [ ] Rate limiting on public / abusable endpoints.
+- [ ] Error messages don't leak secrets, stack traces, or PII.
 
 ## Secret management
 

From f14d7a2428f58d19264dba1f654665a81db96890 Mon Sep 17 00:00:00 2001
From: Mike Odnis <airwolf635@gmail.com>
Date: Fri, 12 Jun 2026 23:19:02 -0400
Subject: [PATCH 4/5] docs(standards): align tier wording + fix security-scan
 link target
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- CONTRIBUTING.md: "three-tier model:" → "three-tier model plus a security
  overlay:" so the lead-in matches the four bullets (3 tiers + the security
  overlay). Kept Security as an *overlay* rather than relabeling it "Tier 4",
  to stay consistent with docs/standards/README.md ("The three tiers") and
  04-security.md ("Composes with all three tiers").
- 04-security.md: point the `security-scan.yml` link at the actual workflow
  file (../../.github/workflows/security-scan.yml) so text and href match.

Skipped the suggested README.md edit: it already reads "the three-tier model
(…) + security overlay", which is correct; switching it to "four-tier" would
introduce the contradiction the other docs avoid.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 CONTRIBUTING.md               | 2 +-
 docs/standards/04-security.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6125bd4..800cea4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -56,7 +56,7 @@ resq hooks update         # rewrite installed hooks from embedded templates
 ## Engineering standards
 
 Org-wide code standards live in [`docs/standards/`](./docs/standards/) — a
-three-tier model:
+three-tier model plus a security overlay:
 
 - [**Tier 1 — Baseline**](./docs/standards/01-baseline.md): required toolchain,
   hard rules, code shape (every repo).
diff --git a/docs/standards/04-security.md b/docs/standards/04-security.md
index bd649e0..1e9ecf7 100644
--- a/docs/standards/04-security.md
+++ b/docs/standards/04-security.md
@@ -23,7 +23,7 @@ This is the day-to-day checklist; the disclosure process lives in
 - Rotate anything that may have been exposed; treat exposure as an incident.
 - GitHub native secret scanning + push protection are on; CI runs OSV/Dependency
   Review, with opt-in Gitleaks/Semgrep/Snyk (see
-  [`security-scan.yml`](../../.github/workflows/README.md)).
+  [`security-scan.yml`](../../.github/workflows/security-scan.yml)).
 
 ## Reference standards
 

From d4e10c41665b9e2728a9f082105a26cb0e61dadc Mon Sep 17 00:00:00 2001
From: Mike Odnis <airwolf635@gmail.com>
Date: Fri, 12 Jun 2026 23:21:04 -0400
Subject: [PATCH 5/5] docs(standards): move #![forbid(unsafe_code)] out of the
 cargo command block
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's a Rust source-level attribute, not a CLI command — list it as a
prose bullet instead (addresses gemini review on PR #24).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 docs/standards/02-languages.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/standards/02-languages.md b/docs/standards/02-languages.md
index 92daeb0..72e96e6 100644
--- a/docs/standards/02-languages.md
+++ b/docs/standards/02-languages.md
@@ -57,9 +57,10 @@ cargo clippy -- -D warnings
 cargo test
 cargo audit
 cargo deny check
-#![forbid(unsafe_code)]   // where the crate allows it
 ```
 
+- Add `#![forbid(unsafe_code)]` at the crate root where the crate allows it
+  (it's a source attribute, not a CLI flag).
 - Follow the [Rust API Guidelines](https://github.com/rust-lang/api-guidelines)
   for public surfaces.
 - Treat every `unsafe` block as a mini C island: document the invariants,