[codex] Prepare QuantBase open-source release

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Report a reproducible QuantBase issue
+title: "[Bug]: "
+labels: bug
+assignees: ""
+---
+
+## What happened?
+
+
+## Expected behavior
+
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Environment
+
+- OS:
+- Python:
+- Node:
+- Browser:
+
+## Verification tried
+
+- [ ] `./scripts/check.sh`
+- [ ] Targeted test:
+- [ ] Frontend build:
+
+## Open-source safety check
+
+- [ ] I removed API keys, exchange credentials, webhook URLs, production hosts, private databases, logs, screenshots, and account data.
+- [ ] This report does not request investment advice or claim guaranteed returns.
+- [ ] If real-account behavior is involved, I understand QuantBase is paper/simulation first by default.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Security-sensitive reports
+    url: https://github.com/
+    about: Use a private maintainer channel or GitHub private vulnerability reporting if available. Do not post secrets in public issues.

.github/pull_request_template.md

@@ -0,0 +1,20 @@
+## Summary
+
+-
+
+## Verification
+
+- [ ] `./scripts/check.sh`
+- [ ] Targeted backend tests:
+- [ ] Targeted frontend build or static checks:
+
+## Open-Source Boundary
+
+- [ ] This keeps QuantBase paper/simulation first by default.
+- [ ] This does not add real API keys, exchange credentials, webhook URLs, production hosts, private databases, logs, screenshots, or account data.
+- [ ] This does not describe demo strategies, backtests, AI outputs, or screenshots as investment advice or return promises.
+- [ ] Docs were updated when product behavior, API contracts, page workflows, or risk boundaries changed.
+
+## Notes
+
+-

.github/workflows/check.yml

@@ -31,5 +31,8 @@ jobs:
       - name: Install backend dependencies
         run: python -m pip install -r backend/requirements.txt
 
+      - name: Install backend dev dependencies
+        run: python -m pip install -r backend/requirements-dev.txt
+
       - name: Run checks
         run: ./scripts/check.sh

.gitignore

@@ -48,8 +48,14 @@ logs/
 
 # === 数据库 ===
 *.db
+*.db-shm
+*.db-wal
 *.sqlite
+*.sqlite-shm
+*.sqlite-wal
 *.sqlite3
+*.sqlite3-shm
+*.sqlite3-wal
 
 # === 保留种子数据 ===
 data/klines/
@@ -58,6 +64,7 @@ data/ai_lab_model_config.json
 
 # === 测试 ===
 test-results/
+tests/test_report.txt
 .pytest_cache/
 htmlcov/
 .coverage

AGENTS.md

@@ -10,7 +10,7 @@ Before substantial work, read:
 
 1. `README.md`
 2. `docs/spec.md`
-3. `docs/OPEN_SOURCE_SCOPE.md`
+3. `docs/open-source-scope.md`
 4. the directly relevant page or module documentation
 
 ## Operating Rules

CODE_OF_CONDUCT.md

@@ -0,0 +1,23 @@
+# Code of Conduct
+
+QuantBase is an open-source research and engineering project for paper/simulation workflows. We want discussion to stay useful, respectful, and grounded in reproducible work.
+
+## Expected Behavior
+
+- Be respectful and constructive when discussing bugs, designs, tests, and docs.
+- Keep feedback focused on the project and the evidence.
+- Share enough context for others to reproduce issues without exposing private data.
+- Respect the project boundary: QuantBase is not investment advice, a managed account service, or a copy-trading service.
+
+## Not Acceptable
+
+- Harassment, personal attacks, discriminatory language, or threats.
+- Posting private credentials, API keys, webhook URLs, account screenshots, production hosts, private logs, or private research records.
+- Promising returns, soliciting copy trading, or presenting demo strategies as proven profitable systems.
+- Encouraging users to bypass paper/simulation checks, risk controls, or local compliance review.
+
+## Reporting
+
+If you see conduct concerns, open a maintainer-visible GitHub discussion or issue with the minimum necessary context. Do not include secrets or private account data in public reports.
+
+Maintainers may edit, hide, lock, or remove content that violates these expectations.