Codex/pr 424 no server split

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -7,6 +7,7 @@ body:
     attributes:
       value: |
         Thanks for taking the time to report a bug in memU! Please fill in the following details.
+        If this report involves a vulnerability, leaked credential, private user data, or authentication bypass, do not open a public issue. Follow the Security Policy instead: https://github.com/NevaMind-AI/MemU/security/policy
 
   - type: textarea
     id: description

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,14 @@
 blank_issues_enabled: false
 contact_links:
   - name: GitHub Discussions
-    url: https://github.com/NevaMind-AI/memU/discussions
+    url: https://github.com/NevaMind-AI/MemU/discussions
     about: For questions and general discussions about memU
+  - name: Security Reports
+    url: https://github.com/NevaMind-AI/MemU/security/policy
+    about: Please report suspected vulnerabilities privately
   - name: Documentation
-    url: https://github.com/NevaMind-AI/memU/blob/main/README.md
+    url: https://github.com/NevaMind-AI/MemU/blob/main/README.md
     about: Check out the memU documentation
+  - name: Community Chat
+    url: https://discord.com/invite/hQZntfGsbJ
+    about: Join the memU Discord community

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,44 +1,41 @@
-## 📝 Pull Request Summary
+## Summary
 
-Please provide a short summary explaining the purpose of this PR.
+Describe what this pull request changes and why it matters.
 
----
-
-## ✅ What does this PR do?
-- Clearly describe the change introduced.
-- Mention the motivation or problem it solves.
-
----
-
-## 🤔 Why is this change needed?
-- Explain the context or user impact.
-- Link any relevant issue or discussion.
-
----
-
-## 🔍 Type of Change
-Please check what applies:
+## Type of Change
 
 - [ ] Bug fix
 - [ ] New feature
 - [ ] Documentation update
-- [ ] Refactor / cleanup
-- [ ] Other (please explain)
+- [ ] Refactor or cleanup
+- [ ] CI, build, or release change
+- [ ] Test-only change
 
----
+## Validation
 
-## ✅ PR Quality Checklist
+- [ ] `make check`
+- [ ] `make test`
+- [ ] `make docs-build`
+- [ ] Focused tests or manual verification listed below
 
-- [ ] PR title follows the conventional format (feat:, fix:, docs:)
-- [ ] Changes are limited in scope and easy to review
-- [ ] Documentation updated where applicable
-- [ ] No breaking changes (or clearly documented)
-- [ ] Related issues or discussions linked
+Validation notes:
+
+```text
+Paste commands, relevant output, or explain why a check was not run.
+```
 
----
+## Review Notes
 
-## 📌 Optional
+- Public API impact:
+- Storage/backend impact:
+- Security or privacy impact:
+- Breaking changes or migration steps:
 
-- [ ] Screenshots or examples added (if applicable)
-- [ ] Edge cases considered
-- [ ] Follow-up tasks mentioned
+## Checklist
+
+- [ ] PR title uses a supported conventional prefix (`feat`, `fix`, `docs`, `test`, `refactor`, `perf`, `style`, `ci`, `build`, `chore`, `revert`)
+- [ ] Changes are limited in scope and easy to review
+- [ ] Tests cover new behavior or regression risk
+- [ ] Documentation, examples, or ADRs are updated when behavior changes
+- [ ] No secrets, credentials, or private user data are included
+- [ ] Related issues or discussions are linked

.github/dependabot.yml

@@ -0,0 +1,47 @@
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+      prefix-development: "chore(deps-dev)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "python"
+
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:15"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "rust"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:30"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci(deps)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "ci"

.github/workflows/build.yml

@@ -2,13 +2,15 @@ name: build
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     strategy:
       matrix:
-        python-version: ["3.13"]
+        python-version: ["3.12", "3.13"]
 
     steps:
       - uses: actions/checkout@v6
@@ -24,12 +26,13 @@ jobs:
         run: uv python install ${{ matrix.python-version }}
 
       - name: Sync dependencies
-        run: |
-          uv sync --frozen
-          uv run pre-commit install
+        run: uv sync --frozen
 
       - name: Run style checks
-        run: uv run make check
+        run: make check
 
       - name: Run tests
-        run: uv run make test
+        run: make test
+
+      - name: Build docs
+        run: make docs-build

.github/workflows/codeql.yml

@@ -0,0 +1,44 @@
+name: codeql
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: "37 3 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: python
+            build-mode: none
+          - language: rust
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/release-please.yml

@@ -4,15 +4,21 @@ on:
       - main
 
 permissions:
-  contents: write
-  issues: write
-  pull-requests: write
+  contents: read
+
+concurrency:
+  group: release-please-${{ github.ref }}
+  cancel-in-progress: false
 
 name: release-please
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     outputs:
       releases_created: ${{ steps.release.outputs.releases_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
@@ -36,27 +42,27 @@ jobs:
             label: linux-x86_64
             target: x86_64-unknown-linux-gnu
             extra-args: "--compatibility manylinux_2_39"
-            python-version: "3.13"
+            python-version: "3.12"
           - os: ubuntu-latest
             label: linux-aarch64
             target: aarch64-unknown-linux-gnu
             extra-args: "--compatibility manylinux_2_39"
-            python-version: "3.13"
+            python-version: "3.12"
           - os: macos-15-intel
             label: macos-x86_64
             target: ""
             extra-args: ""
-            python-version: "3.13"
+            python-version: "3.12"
           - os: macos-latest
             label: macos-aarch64
             target: ""
             extra-args: ""
-            python-version: "3.13"
+            python-version: "3.12"
           - os: windows-latest
             label: windows-x86_64
             target: ""
             extra-args: ""
-            python-version: "3.13"
+            python-version: "3.12"
     steps:
       - uses: actions/checkout@v6
 
@@ -85,7 +91,7 @@ jobs:
           CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
 
       - name: Upload wheel artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: wheels-${{ matrix.label }}
           path: dist/*.whl
@@ -102,7 +108,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7
         with:
-          python-version: "3.13"
+          python-version: "3.12"
 
       - name: Setup Rust
         uses: dtolnay/rust-toolchain@stable
@@ -114,7 +120,7 @@ jobs:
         run: uvx maturin sdist --out dist
 
       - name: Upload sdist artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: sdist
           path: dist/*.tar.gz
@@ -130,18 +136,19 @@ jobs:
     if: ${{ needs.release-please.outputs.releases_created == 'true' && needs.release-please.outputs.tag_name != '' }}
     environment: pypi
     permissions:
+      actions: read
       id-token: write
       contents: write
     steps:
       - name: Download wheel artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           pattern: wheels-*
           merge-multiple: true
           path: dist
 
       - name: Download sdist artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: sdist
           path: dist

.pre-commit-config.yaml

@@ -9,7 +9,12 @@ repos:
       - id: check-json
       - id: pretty-format-json
         args: [--autofix, --no-sort-keys]
+      - id: check-added-large-files
+        args: [--maxkb=1024]
+      - id: detect-private-key
       - id: end-of-file-fixer
+      - id: mixed-line-ending
+        args: [--fix=lf]
       - id: trailing-whitespace
 
   - repo: https://github.com/astral-sh/ruff-pre-commit

.python-version

@@ -1 +1 @@
-3.13
+3.12

CODE_OF_CONDUCT.md

@@ -0,0 +1,31 @@
+# Code of Conduct
+
+## Our Pledge
+
+We want MemU to be a welcoming, useful, and technically serious open source project. We expect everyone who participates in the project to treat other contributors, users, and maintainers with respect.
+
+## Expected Behavior
+
+- Be kind, patient, and constructive.
+- Assume good intent while still being clear about technical risks.
+- Keep discussions focused on the work, the project, and the people affected by decisions.
+- Welcome newcomers and help them find the right issue, document, or maintainer.
+- Respect privacy, security boundaries, and confidential reports.
+
+## Unacceptable Behavior
+
+- Harassment, intimidation, threats, or personal attacks.
+- Demeaning language related to identity, background, experience level, or technical choices.
+- Publishing private information without explicit permission.
+- Repeatedly derailing discussions after maintainers ask to refocus.
+- Any behavior that makes the project unsafe or hostile for others.
+
+## Reporting
+
+Please report conduct concerns privately by emailing [contact@nevamind.ai](mailto:contact@nevamind.ai). Include enough context for maintainers to understand what happened, such as links, screenshots, dates, and the people involved.
+
+Maintainers will review reports as promptly and fairly as possible. Retaliation against anyone who reports a concern or participates in a review is not acceptable.
+
+## Enforcement
+
+Maintainers may take action to protect the project community, including warnings, comment deletion, temporary restrictions, or removal from project spaces. Enforcement decisions should be proportionate, documented internally, and focused on restoring a healthy collaboration environment.