[Auto] Promote qa → main

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,24 @@
+# Code of Conduct
+
+## Our standards
+
+This project follows the [Contributor Covenant](https://www.contributor-covenant.org/) v2.1.
+
+We are committed to providing a welcoming and inclusive environment. Expected behavior:
+
+- Use respectful and inclusive language
+- Accept constructive criticism gracefully
+- Focus on what is best for the project
+- Show empathy toward other contributors
+
+Unacceptable behavior includes harassment, discriminatory language, and personal attacks of any kind.
+
+## Enforcement
+
+Violations may be reported to **borrome941@gmail.com**. All reports will be reviewed promptly and confidentially.
+
+Project maintainers who do not uphold this Code of Conduct may be removed from the project.
+
+## Attribution
+
+Adapted from the [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/), version 2.1.

.github/CONTRIBUTING.md

@@ -0,0 +1,74 @@
+# Contributing to TuColmadoRD
+
+## Branch flow
+
+```
+feature/your-feature
+        │
+        ▼
+       dev  ──►  qa  ──►  main  ──►  production
+```
+
+All PRs target `dev`. Never push directly to `qa` or `main` — promotion is automatic via CI.
+
+## Before you start
+
+1. Check open issues and discussions to avoid duplicate work.
+2. For significant changes, open an issue or discussion first to align on approach.
+3. Fork the repo and create a branch from `dev`:
+   ```bash
+   git checkout dev
+   git pull origin dev
+   git checkout -b feature/your-feature-name
+   ```
+
+## Local setup
+
+See [[Local Development]] in the wiki or `.docs/STARTUP.md` for full instructions.
+
+```bash
+cp .env.example .env   # fill in values
+docker compose up --build -d
+./executions/migrate.sh
+```
+
+## Commit style
+
+We use [Conventional Commits](https://www.conventionalcommits.org/):
+
+```
+feat(catalog): add product variant support
+fix(gateway): return 404 instead of 500 on unknown tenant
+refactor(auth): extract token refresh into service layer
+docs: update local development guide
+test(reports): add integration test for daily summary
+chore(ci): pin docker buildx version
+```
+
+**Scopes:** `auth`, `gateway`, `api`, `catalog`, `reports`, `notification`, `ecf`, `web`, `landing`, `ci`, `deploy`, `infra`.
+
+## Pull request checklist
+
+- [ ] Branch is up to date with `dev`
+- [ ] All existing tests pass (`docker compose` integration tests)
+- [ ] New behavior has test coverage
+- [ ] No secrets or credentials in the diff
+- [ ] `GHCR_TOKEN` is not committed (it stays in `.env`)
+- [ ] PR description explains *why*, not just *what*
+
+## Code style
+
+- **.NET**: follow existing Clean Architecture layer boundaries — no business logic in controllers
+- **Rust**: `cargo fmt` and `cargo clippy` must pass
+- **TypeScript**: ESLint passes, no `any` casts without a comment explaining why
+- **All services**: every public endpoint must include a tenant_id check
+
+## Testing
+
+- Unit tests: run inside each service directory
+- Integration tests: run via `docker compose` (full stack must be up)
+- Load tests: `perf-lab/` — run the `smoke.js` scenario first to validate reachability
+
+## Questions
+
+Use [GitHub Discussions](https://github.com/odimsom/TuColmadoRD-Monorepo/discussions) — Q&A category for how-to questions, Ideas category for proposals.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,67 @@
+name: Bug report
+description: Something isn't working as expected
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        **Before filing:** check [open issues](https://github.com/odimsom/TuColmadoRD-Monorepo/issues) and the [Q&A discussion](https://github.com/odimsom/TuColmadoRD-Monorepo/discussions/categories/q-a) first.
+
+  - type: dropdown
+    id: service
+    attributes:
+      label: Affected service
+      options:
+        - API Gateway
+        - Core API (.NET)
+        - Auth service
+        - Catalog service (Rust)
+        - Reports service (Rust)
+        - Notification service
+        - ECF Generator
+        - Web Admin (Angular)
+        - Landing page
+        - CI/CD / Deploy
+        - Infrastructure / Traefik
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: Clear description of the bug. Include error messages verbatim.
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Steps to reproduce
+      placeholder: |
+        1. Call endpoint `GET /api/v1/catalog?tenant_id=...`
+        2. With header `Authorization: Bearer ...`
+        3. Observe response...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: "`docker compose logs <service> | tail -50`"
+      render: shell
+
+  - type: input
+    id: environment
+    attributes:
+      label: Environment
+      placeholder: "local / staging / production — Docker Compose v2.x, OS"

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,62 @@
+name: Feature request
+description: Propose a new feature or improvement
+labels: [enhancement]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        For open-ended discussion or early-stage ideas, use [Discussions → Ideas](https://github.com/odimsom/TuColmadoRD-Monorepo/discussions/categories/ideas) instead.
+        Open an issue when the feature is concrete enough to be actionable.
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - POS / Sales flow
+        - Inventory management
+        - Reporting
+        - Delivery & GPS verification
+        - Employee & shift management
+        - Credit (fiado) management
+        - e-CF / DGII fiscal compliance
+        - Authentication & authorization
+        - API / Gateway
+        - Frontend (web admin)
+        - Desktop app
+        - Infrastructure / DevOps
+        - Developer experience
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem this solves
+      description: What is currently painful or impossible? Be specific.
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: How should it work? Include UI mockups, API shapes, or data models if helpful.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other approaches you thought about and why you ruled them out.
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Pre-submission checklist
+      options:
+        - label: I searched existing issues and discussions
+          required: true
+        - label: This feature fits the scope of a POS/ERP for Dominican colmados
+          required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,44 @@
+## What does this PR do?
+
+<!-- One paragraph. Focus on WHY, not what — the diff already shows what changed. -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Refactor (no behavior change)
+- [ ] CI / infrastructure
+- [ ] Documentation
+
+## Affected services
+
+<!-- Check all that apply -->
+- [ ] API Gateway
+- [ ] Core API (.NET)
+- [ ] Auth service
+- [ ] Catalog service (Rust)
+- [ ] Reports service (Rust)
+- [ ] Notification service
+- [ ] ECF Generator
+- [ ] Web Admin (Angular)
+- [ ] Landing page
+- [ ] CI/CD / Deploy scripts
+- [ ] Infrastructure
+
+## Testing
+
+<!-- How was this tested? Which environment? -->
+
+- [ ] Local Docker Compose stack
+- [ ] Unit tests pass
+- [ ] Integration tests pass
+- [ ] Manually tested the affected flow end-to-end
+- [ ] perf-lab smoke test passes (if gateway/service change)
+
+## Checklist
+
+- [ ] Branch is up to date with `dev`
+- [ ] No secrets or credentials in the diff
+- [ ] Commit messages follow Conventional Commits
+- [ ] DB migrations are backward-compatible (if applicable)
+- [ ] `.env.example` updated if new env vars were added

.github/SECURITY.md

@@ -0,0 +1,46 @@
+# Security Policy
+
+## Supported versions
+
+| Version | Supported |
+|---|---|
+| `main` (latest) | ✅ |
+| Older tags | ❌ |
+
+Only the latest commit on `main` receives security fixes.
+
+## Reporting a vulnerability
+
+**Do not open a public issue for security vulnerabilities.**
+
+Report vulnerabilities privately to **borrome941@gmail.com** with:
+
+- A description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- (Optional) suggested fix
+
+You will receive an acknowledgment within 48 hours. We aim to release a fix within 7 days for critical issues.
+
+## Scope
+
+In scope:
+- API Gateway — authentication bypass, JWT forgery, tenant isolation bypass
+- Auth service — credential exposure, token leakage
+- Any endpoint that allows cross-tenant data access
+- SQL injection or command injection in any service
+- Exposed secrets or credentials in build artifacts / Docker images
+
+Out of scope:
+- Issues requiring physical access to the server
+- Social engineering
+- Denial of service (the load-testing perf-lab is intentional)
+- Bugs in third-party dependencies (report those upstream)
+
+## Security design notes
+
+- All API requests require a valid JWT issued by the auth service
+- `tenant_id` is extracted from the JWT — clients cannot supply their own
+- All PostgreSQL queries are parameterized (SQLx compile-time checked in Rust, EF Core in .NET)
+- No service credential is stored in the repository — secrets live in `.env` on the VPS only
+- Internal services are not exposed through Traefik; only the gateway and frontends have public routes