Streampay-Org · HushLuxe · Mar 25, 2026
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,95 @@
+# Contributing to StreamPay Contracts
+
+Thanks for taking the time to contribute!
+
+This repository contains the `streampay-contracts` Soroban smart contract crate.
+
+## Quick start
+
+## Workflow
+
+1. Fork the repository (or create a branch if you have write access).
+2. Create a branch following the naming rules below.
+3. Make focused changes with tests.
+4. Push your branch and open a PR against `main`.
+
+### Prerequisites
+
+- Rust (stable)
+- `rustfmt` (`rustup component add rustfmt`)
+- Optional: Stellar CLI for deployment
+
+### Soroban SDK version
+
+This repo pins `soroban-sdk` to **`22.0`** (see `Cargo.toml`). Please keep PRs compatible with that version unless the PR is explicitly upgrading the SDK.
+
+### Build, format, test (required)
+
+Run these locally before opening a PR:
+
+```bash
+cargo fmt --all -- --check
+cargo build
+cargo test
+```
+
+If you touch contract logic, add/extend tests for edge cases and include a short note in the PR description about what you validated.
+
+## Branch naming
+
+Use short, descriptive branch names in this format:
+
+`<type>/<kebab-case-summary>`
+
+Recommended `type` values:
+
+- `feat/` — new functionality
+- `fix/` — bug fixes
+- `docs/` — documentation-only changes
+- `chore/` — tooling / maintenance
+- `refactor/` — refactors without behavior changes
+- `test/` — tests-only changes
+
+Example:
+
+```bash
+git checkout -b docs/contributing-contracts
+```
+
+## Commit messages
+
+Prefer Conventional Commits:
+
+`type(scope): short summary`
+
+Example:
+
+`docs(contracts): CONTRIBUTING guide for contract developers`
+
+## Code style
+
+- Keep changes small and reviewable.
+- Match the existing Rust style and pass `cargo fmt`.
+- Avoid breaking the public contract interface without an explicit versioning plan.
+- Prefer clear, deterministic contract behavior (auth checks, storage keys, arithmetic).
+
+## Pull request expectations
+
+When opening a PR:
+
+- Describe **what** changed and **why** (link the issue if applicable).
+- Include the commands you ran and their results (at minimum: `cargo test`).
+- Add short **security notes** for contract-logic changes (e.g., auth, overflow/underflow, invariants).
+- Be responsive to review feedback and iterate quickly.
+
+## Timelines
+
+If you’re assigned an issue, aim to open a draft PR or progress update within **96 hours** so others know it’s actively being worked on.
+
+## Security
+
+If you believe you’ve found a vulnerability, please **do not** open a public issue. See `SECURITY.md`.
+
+## Coverage guideline
+
+For PRs that touch contract logic, target **minimum 95% test coverage** for the code you changed (or explicitly justify any gaps in the PR description).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please **do not** file public GitHub issues for security vulnerabilities.
+
+Instead, use GitHub’s private vulnerability reporting for this repository (Security tab → “Report a vulnerability”), if available. If private reporting is not enabled, contact the project maintainers directly with a minimal reproduction, impact assessment, and suggested fix.
+
+## Supported versions
+
+Security fixes are applied to the latest `main` branch.
+