meta: add LICENSE, NOTICE, governance docs, and .github/ templates
Open-source release readiness pass — adds the standard files needed
for a recruiter / hiring manager (or any external contributor) to land
on the repo and immediately know how to license, contribute, report
security issues, and file good bugs.
Created at repo root:
- LICENSE — MIT, Copyright (c) 2026 Steven Wang. Aligns with the
existing license declaration in cortex/pyproject.toml.
- NOTICE — third-party attribution for the bundled
cortex/models/face_landmarker.task (MediaPipe FaceLandmarker,
Apache-2.0) and the major runtime dependencies; references the
peer-reviewed papers underlying the rPPG pipeline.
- SECURITY.md — private disclosure via GitHub Security Advisories;
pins the project's biometric privacy invariants (no video stored,
no biometrics in LLM payloads, 127.0.0.1-only network surface,
capability-token gate, consent ladder) as security regressions if
weakened.
- CONTRIBUTING.md — light single-author guide centred on the schema-
codegen workflow (the project's distinguishing convention), audit-
ledger commit prefix, and a strict PR checklist. ~150 lines.
- SUPPORT.md — honest expectation-setting: portfolio project, best-
effort, points first-time users at wiki + Troubleshooting.
- CODE_OF_CONDUCT.md — short pointer to Contributor Covenant 2.1
rather than vendoring the full text.
Created under .github/:
- ISSUE_TEMPLATE/config.yml — disables blank issues; surfaces the
Security Advisories link, Troubleshooting wiki, and Discussions.
- ISSUE_TEMPLATE/bug_report.yml — Form template (macOS version,
install method, daemon log excerpt with cid quote-back, repro).
- ISSUE_TEMPLATE/feature_request.yml — Form template that requires
the proposer to think about the privacy invariants and link any
related audit finding.
- PULL_REQUEST_TEMPLATE.md — Summary, audit-ledger link, test plan,
schema codegen confirmation checkbox, privacy-invariant checklist.
- dependabot.yml — weekly pip / npm (browser + vscode extensions) /
github-actions updates with prefixed commit messages.
No code is touched. CITATION.cff and FUNDING.yml were deliberately
skipped (signal mismatch for a SWE portfolio).