chore: repo polish — idempotent schema, SECURITY.md, Docker smoke in release, docs cleanup

[ethanj]

Repo polish — idempotent schema, SECURITY.md, Docker smoke in release, docs cleanup

Overview

Closes out the launch-readiness audit by landing the last trust-signal files,
hardening the release workflow so tagged releases can't ship a broken Docker
image, porting an idempotent-DDL fix from atomicmemory-research so core
doesn't silently drop user data on every container restart, and tightening
the repo's docs surface now that core stands on its own.

Key Features

🔒 Security & Contributor Surface

• SECURITY.md: private disclosure email, concrete response timeline
  (72h acknowledgment, 1 week assessment, 30 day fix best-effort), scope
  limited to the runtime server, supported versions table.
• Issue template config: .github/ISSUE_TEMPLATE/config.yml enables the
  template picker and adds Docs + Discussions contact links so drive-by
  visitors see the community surface before filing issues.

💾 Idempotent Schema Migration (data-loss fix)

• schema.sql was dropping every table on every app startup, so any
  container restart wiped the database. This was the same bug
  atomicmemory-research fixed in e333ccc; core hadn't received the port.
• schema.sql is now idempotent:
  • Removed all 16 DROP TABLE IF EXISTS … statements.
  • Converted 17 CREATE TABLE → CREATE TABLE IF NOT EXISTS.
  • Converted 44 CREATE INDEX → CREATE INDEX IF NOT EXISTS.
  • Header comment now states the idempotency contract and flags the
    ALTER-TABLE caveat for future column changes.
• migrate.ts: stripVectorIndexes regex now matches both
  CREATE INDEX and CREATE INDEX IF NOT EXISTS forms (ports abb5b82
  from research).
• Tradeoff: re-running schema.sql is now a no-op on existing tables.
  Any future column-type change (e.g. a TEXT → UUID migration) has to be
  expressed as an explicit ALTER TABLE block — a plain column definition
  inside CREATE TABLE IF NOT EXISTS gets silently skipped when the table
  already exists.

🔧 Release Workflow Hardening

• Docker smoke test in release: release.yml now runs
  npm run test:docker-smoke between the image build and the GitHub Release
  step. Eight test groups (health, provider, DB, ingest, search, cleanup,
  input validation) run against the real compose stack using the local-WASM
  transformers provider — fully hermetic, no external API calls.
• .env placeholder fix: docker-compose.yml declares env_file: .env,
  which CI doesn't have. Workflow now copies .env.example → .env before the
  smoke step so compose config resolves. The smoke overlay still sets its own
  env vars, so the placeholder content doesn't affect behavior.

📝 Docs Cleanup

• README: dropped the "Not production-hardened yet — alpha quality" line.
  Core now stands on its launch-ready trust signals (CI, tests, release
  harness, SECURITY.md) rather than pre-announcing its own instability.
• CONTRIBUTING: removed the inline "What Belongs Here vs Research"
  section. Repository-boundary rules live in the
  adr-core-vs-research-boundary-2026-04-15 ADR in
  atomicmemory-research/docs/core-repo/; duplicating them in CONTRIBUTING
  created two sources of truth.
• PROVENANCE.md removed: extraction history is captured in the extraction
  plan + ADR in research. A separate PROVENANCE file in core only added
  sync overhead.

Implementation Details

New Files

• SECURITY.md — private disclosure policy
• .github/ISSUE_TEMPLATE/config.yml — template picker + contact links

Modified Files

• src/db/schema.sql — idempotent DDL; no drops; IF NOT EXISTS on every
  CREATE; updated header
• src/db/migrate.ts — stripVectorIndexes regex handles both CREATE INDEX
  forms
• .github/workflows/release.yml — add Docker smoke test step and .env
  placeholder setup
• README.md — drop alpha caveat line
• CONTRIBUTING.md — drop "What Belongs Here vs Research" section

Removed Files

• PROVENANCE.md — consolidated into research-repo ADR + extraction plan

Code Quality

Metrics

• Files Changed: 8
• Insertions: +115 lines
• Deletions: -113 lines

Pre-commit Checks

• ✅ npx tsc --noEmit — clean
• ✅ fallow --no-cache — 0 above threshold, maintainability 90.9 (good)
• ✅ npm test — 869 / 869 tests pass (79 test files)

Testing

• Verify the release workflow succeeds end-to-end on the next tag push
  (previously would have failed at the new smoke step without the .env
  placeholder fix).
• Confirm the GitHub issue-creation page now shows the template picker
  with Docs + Discussions contact links.
• Confirm SECURITY.md renders cleanly and the security@atomicmemory.ai
  mailbox is actually monitored before announcing publicly.
• Schema idempotency: start a fresh core container, write some
  memories, stop the container, start it again, confirm memories survive.
  Previously this was a guaranteed data-wipe.

Deployment Note — schema change

This PR changes schema.sql from drop-and-recreate to idempotent
IF NOT EXISTS. There is no runtime action required to apply the fix —
the next pnpm migrate (or app startup) will simply stop dropping tables.
Existing deployments will keep their data from this point forward.

However: this PR does not migrate any column types or add new columns
on existing tables. If you need to apply such a change in the future, write
an explicit ALTER TABLE block (for example, inside a DO $$ BEGIN IF NOT EXISTS … END $$ guard) — the IF NOT EXISTS guard silently skips new
column definitions inside CREATE TABLE when the table already exists.

Checklist

• SECURITY.md present (closes launch-day trust-signal gap)
• Issue template config present
• Release workflow smoke-tests the Docker image before tagging
• Schema migration is idempotent — no data loss on container restart
• stripVectorIndexes handles both CREATE INDEX forms
• Docs reflect post-launch positioning (no alpha caveat, no duplicated
  boundary section, no redundant PROVENANCE)
• All 869 tests pass, fallow clean, tsc clean

🤖 Generated with Claude Code