diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..ba20347
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,24 @@
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "chore(deps)"
+    labels:
+      - "dependencies"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "chore(ci)"
+    labels:
+      - "dependencies"
+      - "ci"
+    open-pull-requests-limit: 5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6cad184..c6540f5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,6 +32,30 @@ jobs:
       - uses: Swatinem/rust-cache@v2
       - run: cargo clippy --all-targets -- -D warnings
 
+  msrv:
+    name: MSRV (1.70)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: "1.70"
+      - uses: Swatinem/rust-cache@v2
+      - name: Check MSRV compilation
+        run: cargo check --all-targets
+
+  no-default-features:
+    name: No Default Features
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: Build without default features
+        run: cargo build --no-default-features
+      - name: Test without default features
+        run: cargo test --no-default-features
+
   test:
     name: Test (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
@@ -49,7 +73,7 @@ jobs:
   build:
     name: Build Release
     runs-on: ubuntu-latest
-    needs: [fmt, clippy, test]
+    needs: [fmt, clippy, msrv, no-default-features, test]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..15f3c53
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,167 @@
+# Contributing to ucp-schema
+
+Thank you for your interest in contributing to **ucp-schema**! This guide will
+help you get started.
+
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [Getting Started](#getting-started)
+- [Development Workflow](#development-workflow)
+- [Pull Request Process](#pull-request-process)
+- [Coding Standards](#coding-standards)
+- [Testing](#testing)
+- [Contributor License Agreement](#contributor-license-agreement)
+
+## Code of Conduct
+
+This project follows the
+[Universal Commerce Protocol Code of Conduct](https://github.com/Universal-Commerce-Protocol/ucp/blob/main/CODE_OF_CONDUCT.md).
+By participating, you are expected to uphold this code.
+
+## Getting Started
+
+### Prerequisites
+
+- **Rust** 1.70 or later (see `rust-version` in `Cargo.toml`)
+- **Cargo** (included with Rust)
+- **Git**
+
+Install Rust via [rustup](https://rustup.rs/):
+
+```bash
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+```
+
+### Clone and Build
+
+```bash
+git clone https://github.com/Universal-Commerce-Protocol/ucp-schema.git
+cd ucp-schema
+cargo build
+```
+
+### Verify Your Setup
+
+```bash
+make all    # Runs fmt-check, lint, test, build
+```
+
+## Development Workflow
+
+### Makefile Targets
+
+| Target             | Description                             |
+| ------------------ | --------------------------------------- |
+| `make all`         | Format check, lint, test, build         |
+| `make build`       | Build debug binary                      |
+| `make release`     | Build optimized release binary          |
+| `make test`        | Run all tests                           |
+| `make test-unit`   | Run unit tests only (`--lib`)           |
+| `make test-integration` | Run CLI integration tests          |
+| `make lint`        | Run `cargo clippy` with `-D warnings`   |
+| `make fmt`         | Auto-format code with `rustfmt`         |
+| `make fmt-check`   | Check formatting without modifying      |
+| `make smoke-test`  | Quick test with checkout fixture        |
+| `make install`     | Install release binary to `~/.cargo/bin`|
+| `make clean`       | Remove build artifacts                  |
+
+### Feature Flags
+
+- **`remote`** (default): Enables HTTP-based schema loading via `reqwest`.
+  Disable with `--no-default-features` for offline-only builds.
+
+```bash
+# Build without remote support
+cargo build --no-default-features
+
+# Run tests without remote support
+cargo test --no-default-features
+```
+
+### Project Layout
+
+```
+src/
+├── bin/
+│   └── ucp-schema.rs   # CLI entry point (clap)
+├── compose.rs           # Schema composition from capabilities
+├── error.rs             # Error types (thiserror)
+├── lib.rs               # Public library API
+├── linter.rs            # Static analysis / diagnostics
+├── loader.rs            # Schema loading (file, URL, string)
+├── resolver.rs          # UCP annotation resolution
+├── types.rs             # Core types (Direction, Visibility, etc.)
+└── validator.rs         # Payload validation against schemas
+tests/
+├── cli_test.rs          # CLI integration tests
+├── resolve_test.rs      # Resolver unit tests
+└── fixtures/            # Test schemas and payloads
+```
+
+## Pull Request Process
+
+1. **Fork** the repository and create a feature branch from `main`.
+2. **Follow conventional commits** for your commit messages:
+   - `feat:` – new features
+   - `fix:` – bug fixes
+   - `docs:` – documentation only
+   - `chore:` – maintenance, CI, deps
+   - `test:` – adding or updating tests
+   - `refactor:` – code restructuring without behavior change
+3. **Ensure all checks pass** before submitting:
+   ```bash
+   make all
+   ```
+4. **Open a Pull Request** against `main` with a clear description of what
+   changed and why.
+5. **Address review feedback** promptly. Maintainers may request changes before
+   merging.
+
+### PR Categories
+
+When opening a PR, indicate which area your change affects:
+
+- **Core Protocol** – `src/` changes (resolver, composer, validator, linter)
+- **Infrastructure** – CI workflows, Makefile, Cargo.toml
+- **Documentation** – README, FAQ, contributing guides
+- **UCP Schema** – Test fixtures, schema definitions
+- **Community Health** – `.github/` configuration, templates
+
+## Coding Standards
+
+- **Format** all code with `cargo fmt` before committing.
+- **No warnings** – `cargo clippy -- -D warnings` must pass.
+- **Error handling** – Use `thiserror` derive macros; avoid `.unwrap()` in
+  library code.
+- **Documentation** – Add `///` doc comments to all public functions and types.
+- **Dependencies** – Minimize new dependencies. Discuss additions in the PR.
+
+## Testing
+
+- **Unit tests** go in the same file as the code they test, inside a
+  `#[cfg(test)] mod tests` block.
+- **Integration tests** go in `tests/` and exercise the CLI via `assert_cmd`.
+- **Fixtures** go in `tests/fixtures/` with descriptive names.
+- All new features and bug fixes should include tests.
+
+```bash
+# Run everything
+cargo test
+
+# Run a specific test
+cargo test test_name
+
+# Run with output
+cargo test -- --nocapture
+```
+
+## Contributor License Agreement
+
+Contributions to this project must be accompanied by a
+[Contributor License Agreement](https://cla.developers.google.com/about) (CLA).
+You (or your employer) retain the copyright to your contribution; the CLA gives
+us permission to use and redistribute your contributions as part of the project.
+
+Visit <https://cla.developers.google.com/> to see your current agreements on
+file or to sign a new one. You generally only need to submit a CLA once.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..75d0b92
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,58 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x     | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in **ucp-schema**, please report it
+responsibly.
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Instead, please use one of the following methods:
+
+1. **GitHub Security Advisories** (preferred): Navigate to the
+   [Security Advisories](https://github.com/Universal-Commerce-Protocol/ucp-schema/security/advisories/new)
+   page and create a new private advisory.
+
+2. **Email**: Contact the maintainers at the email addresses listed in the
+   [CODEOWNERS](.github/CODEOWNERS) file or through the
+   [Universal Commerce Protocol](https://github.com/Universal-Commerce-Protocol)
+   organization.
+
+## What to Include
+
+When reporting a vulnerability, please include:
+
+- A description of the vulnerability and its potential impact.
+- Steps to reproduce the issue.
+- Any relevant logs, screenshots, or proof-of-concept code.
+- Affected versions (if known).
+
+## Response Timeline
+
+- **Acknowledgment**: Within 3 business days of receiving the report.
+- **Assessment**: Within 10 business days, we will provide an initial assessment
+  of the vulnerability.
+- **Resolution**: We aim to release a fix within 30 days for confirmed
+  vulnerabilities, depending on complexity.
+
+## Scope
+
+This security policy covers the `ucp-schema` CLI tool and Rust library,
+including:
+
+- JSON Schema resolution and composition logic
+- Schema validation
+- File and URL loading (when the `remote` feature is enabled)
+- CLI argument handling
+
+## Recognition
+
+We appreciate responsible disclosure and will acknowledge reporters in the
+release notes (unless anonymity is preferred).