elide-dev
diff --git a/‎.editorconfig
+10 b/‎.editorconfig
+10
diff --git a/‎.github/AUTHORS.md
+16 b/‎.github/AUTHORS.md
+16
diff --git a/‎.github/CODEOWNERS
+1 b/‎.github/CODEOWNERS
+1
diff --git a/‎.github/CODE_OF_CONDUCT.md
+76 b/‎.github/CODE_OF_CONDUCT.md
+76
diff --git a/‎.github/CONTRIBUTORS.md
+23 b/‎.github/CONTRIBUTORS.md
+23
diff --git a/‎.github/GOVERNANCE.md
+48 b/‎.github/GOVERNANCE.md
+48
diff --git a/‎.github/SECURITY.md
+97 b/‎.github/SECURITY.md
+97
diff --git a/‎.github/codecov.yml
+44 b/‎.github/codecov.yml
+44
diff --git a/‎.github/dependency-review-config.yml
+24 b/‎.github/dependency-review-config.yml
+24
diff --git a/‎.github/license-header.txt
+12 b/‎.github/license-header.txt
+12
diff --git a/‎.github/pr-badge.yml
+22 b/‎.github/pr-badge.yml
+22
diff --git a/‎.github/workflows/check.dependency-review.yml
+1-1 b/‎.github/workflows/check.dependency-review.yml
+1-1
diff --git a/‎.github/workflows/check.gradle-wrapper.yml
+1-1 b/‎.github/workflows/check.gradle-wrapper.yml
+1-1
@@ -0,0 +1,10 @@
+root = true
+
+[*]
+charset = utf-8
+insert_final_newline = true
+trim_trailing_whitespace = true
+end_of_line = lf
+indent_style = space
+indent_size = 2
+max_line_length = 120
@@ -0,0 +1,16 @@
+## Elide Project Authors
+
+This file lists the Elide project authors. A contributor is considered an _author_ to the extent their contributions are
+significant enough to impact copyright considerations. This is left to the discretion of project authors but typically
+applies when a full feature is contributed by a single author.
+
+### Sam Gammon (@sgammon)
+
+Sam is the original author of Elide and the primary maintainer. He is the code-owner by default unless otherwise
+specified. All administrative rights have been delegated to second parties. The previous major versions of Elide, `v1`
+and `v2`, were authored by Sam in Python and Java/Kotlin before being retired for Elide's current implementation.
+
+### Dario Valdespino (@darvld)
+
+Dario is a core contributor and maintainer of Elide. He is the code-owner and author of the Express JS intrinsics and
+the serving engine.
@@ -0,0 +1 @@
+*.* @sgammon
@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, and it also applies when
+an individual is representing the project or its community in public spaces.
+Examples of representing a project or community include using an official
+project e-mail address, posting via an official social media account, or acting
+as an appointed representative at an online or offline event. Representation of
+a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at apps at elide dot cloud. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq
@@ -0,0 +1,23 @@
+## Elide Project Contributors
+
+This file lists the Elide project contributors. A contributor is someone who has contributed code in any substantive
+(non-trivial) capacity to the project, but is not necessarily considered a project author.
+
+### Sam Gammon (@sgammon)
+
+Sam is the original author of Elide and the primary maintainer. He is the code-owner by default unless otherwise
+specified. All administrative rights have been delegated to second parties.
+
+### Dario Valdespino (@darvld)
+
+Dario is a core contributor and maintainer of Elide. He is the code-owner and author of the Express JS intrinsics and
+the serving engine.
+
+### Damien O'Hara (@mfwgenerics)
+
+Damien is a contributor to Elide and additionally the author of several upstream components (Kapshot, Koala, etc.). He
+has also helped with extensive code review and thought partnership in the design of Elide.
+
+### Sebastian Schuberth (@sschuberth)
+
+Sebastian is a contributor to Elide.
@@ -0,0 +1,48 @@
+# Elide Project Governance
+
+**The Elide project is an open source software framework and runtime.** It is supported in part by [Elide][1] the
+company, which is known formally as _Elide Technologies, Inc._, a registered Delaware Limited Liability Company. Elide
+is also supported by contributions from independent engineers all over the world.
+
+Elide is a community project, and we welcome new contributors. We are committed to fostering a welcoming environment.
+We expect contributors to follow the [Contributor Covenant Code of Conduct][2] when discussing the project in any forum.
+
+## Project Leadership
+
+The Elide project is led by a core team of authors. The current authorship includes:
+
+- **Sam Gammon (@sgammon)**: Primary author and maintainer of Elide. Code-owner by default unless otherwise noted.
+- **Dario Valdespino (@darvld)**: Core contributor and maintainer of Elide. Code-owner and author of the Express JS
+  intrinsics and the serving engine.
+
+## Process and Governance
+
+Most design and development discussion happens via [GitHub Discussions][3] in an open manner where anybody can join in.
+Proposals typically form in that area and move to a place of consensus before any implementation work begins.
+
+Once a proposal has been made and a consensus has been reached, the core team will work with the author(s) to determine
+the best path forward. This may include the author(s) implementing the proposal, or it may fall to the core team to
+implement the proposal.
+
+### Code review
+
+During the development process, code review is done via GitHub pull requests. The core team reviews and merges all pull
+requests. Contributors may opt to keep their pull requests as drafts until such time as they are ready for review.
+
+### Developer Certificate of Origin (DCO)
+
+Elide requires that all contributors **sign their commits** with a valid cryptographic key registered to their GitHub
+account and email address. **All commits** must also carry a `Signed-off-by` tag in order to be considered for merge.
+This tag indicates that the contributor has read and agreed to the [Developer Certificate of Origin (DCO)][4].
+
+### Contributor License Agreement (CLA)
+
+Elide requires that all contributors agree to the terms of the [Elide Contributor License Agreement (CLA)][5]. This
+agreement clarifies intellectual property rights with regard to the Elide Framework and Runtime. It does not change your
+rights to use your own contributions for any other purpose.
+
+[1]: https://elide.dev
+[2]: ./CODE_OF_CONDUCT.md
+[3]: https://github.com/orgs/elide-dev/discussions
+[4]: ./DCO.md
+[5]: ./CLA.md
@@ -0,0 +1,97 @@
+# Security Policy: Elide Project
+
+> Version: `1.0`
+
+The Elide project and team take security very seriously; a big point of Elide's existence is a lack of isolation in
+other runtimes.
+
+Security issues are addressed promptly, and we continuously enhance project security where at all possible.
+
+## Supported Versions
+
+The Elide project is still early, but we intend to support the latest release and immediate past release.
+Once the project hits a level of stability suitable for a `1.0` version we will update this document and issue an
+LTS release.
+
+**Current version support matrix:**
+
+| Version         | Supported                                   |
+| --------------- | ------------------------------------------- |
+| `v3-alpha4-*`   | :white_check_mark:                          |
+| `v3-alpha3-*`   | :white_check_mark: (Immediate past release) |
+| `v2` and before | :x: No support (ancient)                    |
+
+## Reporting a Vulnerability
+
+**We use GitHub issues to track vulnerabilities.** [Click here][9] to report a new issue.
+If you need to report a vulnerability privately, please use the email address on our main GitHub organization page
+(`apps` at `elide` dot `cloud`).
+
+If you need to provide secure information or your report needs to be encrypted, please use our PGP key, as listed on
+public key servers at the same email address.
+
+The Elide team will respond to vulnerabilities promptly. We will work with you to understand the scope of the issue and
+confirm the vulnerability.
+
+Once confirmed, we will work to address the issue and release a patch as soon as possible, including backporting to the
+latest release and immediate past release.
+
+Other (older) releases may receive backports on a case-by-case basis.
+
+## Security Advisories
+
+We will publish security advisories for any vulnerabilities that we address.
+
+These advisories will be published on our GitHub organization page and will be linked to from this document;
+the main `elide` repository will also have a link to this document.
+
+**At this time, no security advisories have been announced.**
+
+## Supply Chain Security
+
+Elide leverages [dependency verification][1] and [dependency locking][2] for all supported tooling; in any case, we
+select the minimum set of high-quality dependencies necessary to deliver a feature.
+
+In most cases, Elide only depends on standard libraries and language-endorsed extensions.
+
+### Dependency Verification and Locking
+
+Elide employs Gradle for dependency assurance, with `SHA-256` and `PGP` used for hashing and signing.
+
+### Attestations and Signing
+
+Elide ships with [SLSA attestations][3] for all modules, and embeds an SBOM with each binary artifact.
+Library releases are signed with PGP and published to Maven Central; all releases are additionally registered with
+[Sigstore][4].
+
+Container image bases carry SLSA attestations and are registered with Sigstore.
+
+## Continuous Updates
+
+Elide pins to the latest versions of all dependencies, by default, modulo (1) known vulnerabilities and (2) support for
+current features. Every attempt is made to use only stable dependencies; sometimes this is not possible with the speed
+at which development occurs on Elide.
+
+Elide employs Dependabot and Renovate for automated dependency updates, and we continuously monitor for and adopt new
+releases of all software Elide depends on.
+
+## Upstream Policies
+
+Elide is a meta-framework and runtime.
+
+When used as a **library or framework**, the bulk of Elide's functionality is implemented by [Micronaut][5] and
+[Netty][6]. When used as a **runtime**, Elide is built on top of [GraalVM][10].
+
+You can find their security policies [here][7] (Micronaut), [here][8] (Netty), and [here][11] (GraalVM), respectively.
+
+[1]: https://docs.gradle.org/current/userguide/dependency_verification.html
+[2]: https://docs.gradle.org/current/userguide/dependency_locking.html
+[3]: https://slsa.dev/
+[4]: https://www.sigstore.dev/
+[5]: https://micronaut.io/
+[6]: https://netty.io/
+[7]: https://github.com/micronaut-projects/micronaut-core/security/policy
+[8]: https://github.com/netty/netty/security/policy
+[9]: https://github.com/elide-dev/elide/issues/new
+[10]: https://www.graalvm.org/
+[11]: https://github.com/oracle/graal/security/policy
@@ -0,0 +1,44 @@
+codecov:
+  require_ci_to_pass: true
+  bot: "elidebot"
+  notify:
+    wait_for_ci: true
+
+coverage:
+  precision: 2
+  round: down
+  range: "25...40"
+  status:
+    project:
+      default:
+        informational: true
+    patch: off
+
+comment:
+  layout: "reach,diff,flags,files,footer"
+  behavior: default
+  require_changes: false
+
+parsers:
+  javascript:
+    enable_partials: yes
+  gcov:
+    branch_detection:
+      conditional: yes
+      loop: yes
+      method: no
+      macro: no
+
+github_checks:
+  annotations: true
+
+ignore:
+  - "samples"
+  - "tools/processor"
+  - "tools/substrate/injekt"
+  - "tools/substrate/sekret"
+  - "tools/substrate/interakt"
+  - "tools/substrate/compiler-util"
+  - "tools/plugin/gradle-plugin"
+  - "packages/proto/proto-flatbuffers"
+  - "packages/graalvm/src/main/kotlin/elide/runtime/feature"
@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2024 Elide Technologies, Inc.
+#
+# Licensed under the MIT license (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# https://opensource.org/license/mit/
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+# an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under the License.
+#
+
+license-check: true
+vulnerability-check: true
+fail-on-severity: "high"
+
+allow-ghsas:
+  ## Allow `node-fetch`, because it is unused in actual outputs made by this library.
+  - "GHSA-r683-j2x4-v87g"
+  - "GHSA-w7rc-rwvf-8q5r"
+
+  ## Allow `jszip`, because we do not use it in the browser.
+  - "GHSA-jg8v-48h5-wgxg"
@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2024 Elide Technologies, Inc.
+ *
+ * Licensed under the MIT license (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ *   https://opensource.org/license/mit/
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under the License.
+ */
@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2024 Elide Technologies, Inc.
+#
+# Licensed under the MIT license (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# https://opensource.org/license/mit/
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+# an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under the License.
+#
+
+## Draft/ready for review
+- label: "Status"
+  message: "Draft"
+  color: "gray"
+  when: "$isDraft"
+- label: "Status"
+  message: "Ready for review"
+  color: "green"
+  when: "$isDraft === false"
@@ -19,6 +19,6 @@ jobs:
       - name: "Setup: Checkout"
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
-            persist-credentials: false
+          persist-credentials: false
       - name: "Checks: Dependency Review"
         uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
@@ -19,6 +19,6 @@ jobs:
       - name: "Setup: Checkout"
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
-            persist-credentials: false
+          persist-credentials: false
       - name: "Check: Gradle Wrappers"
         uses: gradle/wrapper-validation-action@699bb18358f12c5b78b37bb0111d3a0e2276e0e2 # v2.1.1