diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..ce144bf
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,8 @@
+# Code of Conduct
+
+This project follows the ownCloud Code of Conduct.
+
+Please read the full Code of Conduct at:
+****
+
+By participating in this project, you agree to abide by its terms.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..85db846
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,34 @@
+# Contributing
+
+Thank you for your interest in contributing to this project!
+
+Please read the full contributing guidelines at:
+****
+
+## About this repository
+
+This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker
+images ([`owncloud/ocis`](https://hub.docker.com/r/owncloud/ocis) and the daily
+[`owncloud/ocis-rolling`](https://hub.docker.com/r/owncloud/ocis-rolling)). It is
+not the oCIS source code — it builds oCIS from source via a multi-stage
+Dockerfile. Bug reports and feature requests for oCIS itself belong in the
+upstream [`owncloud/ocis`](https://github.com/owncloud/ocis) repository; use this
+repository's issues only for the Docker packaging. See the [README](README.md)
+for build details, supported tags and usage.
+
+## Pull requests
+
+- **Rebase Early, Rebase Often!** We use a rebase workflow. Rebase on the target
+ branch before submitting a PR; do not create merge commits.
+- **Signed commits**: All commits **must** be PGP/GPG signed. See
+ [GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification).
+- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line:
+ ```
+ git commit -S -s -m "your commit message"
+ ```
+- **Conventional Commits**: PR titles must follow the
+ [Conventional Commits](https://www.conventionalcommits.org/) format — this is
+ enforced by CI, and the PR title becomes the squash-merge commit message.
+- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by
+ `owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub
+ Marketplace. Pin all actions to their full commit SHA.
diff --git a/README.md b/README.md
index 551b72d..cf6eebb 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
# ownCloud Infinite Scale Docker Image
[](https://hub.docker.com/r/owncloud/ocis)
+[](https://github.com/owncloud-docker/ocis/blob/master/LICENSE)
+[](https://kiteworks.com/opensource)
Docker image for [ownCloud Infinite Scale (oCIS)](https://github.com/owncloud/ocis) — a modern file-sync and share platform.
@@ -96,6 +98,62 @@ The GitHub Actions workflow (`.github/workflows/main.yml`) builds and validates
3. **Smoke test** — starts the container, polls `https://localhost:9200/status.php` every 2s for up to 62s, and verifies the `.productversion` field in the JSON response matches the built tag. Uses `OCIS_INSECURE=true` to allow self-signed TLS on the test runner.
4. **Publish** — pushes to Docker Hub with floating major/minor tags (on `master` only).
+## Community & Support
+
+- [ownCloud Website](https://owncloud.com)
+- [Community Discussions](https://github.com/orgs/owncloud/discussions)
+- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org)
+- [Documentation](https://doc.owncloud.com)
+- [Enterprise Support](https://owncloud.com/contact-us/)
+- [OSPO Home](https://kiteworks.com/opensource)
+
+See [SUPPORT.md](SUPPORT.md) for the full list of support channels.
+
+## Contributing
+
+We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md)
+and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started.
+
+- **Rebase Early, Rebase Often!** We use a rebase workflow — rebase on the target
+ branch before submitting a PR.
+- **Signed commits**: All commits **must** be PGP/GPG signed and carry a DCO
+ `Signed-off-by` line (`git commit -S -s`).
+- **Conventional Commits**: PR titles must follow the
+ [Conventional Commits](https://www.conventionalcommits.org/) format — enforced
+ by CI.
+- **GitHub Actions Policy**: Workflows may only use actions owned by `owncloud`,
+ created by GitHub (`actions/*`), or verified in the GitHub Marketplace, pinned
+ to a full commit SHA.
+
+Note: bug reports and feature requests for oCIS itself belong upstream in
+[`owncloud/ocis`](https://github.com/owncloud/ocis) — this repository tracks only
+the Docker packaging.
+
+## Security
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Report vulnerabilities at **** — see [SECURITY.md](SECURITY.md).
+
+Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program)
+
+## About the ownCloud OSPO
+
+The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under
+the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source
+ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance,
+community health, and sustainable collaboration between the open source community and
+[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023.
+
+- **OSPO Home**:
+- **GitHub**:
+- **ownCloud**:
+
+For questions about the OSPO or licensing, contact ospo@kiteworks.com.
+
+This repository is licensed under the **Apache License 2.0**, which is the license
+the OSPO is adopting across the ecosystem. No relicensing is required.
+
## License
Apache-2.0 — see [LICENSE](LICENSE).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..78094ae
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,11 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Please report security issues responsibly via:
+****
+
+You can also report vulnerabilities through our YesWeHack bug bounty program:
+****
diff --git a/SUPPORT.md b/SUPPORT.md
new file mode 100644
index 0000000..bed05d6
--- /dev/null
+++ b/SUPPORT.md
@@ -0,0 +1,10 @@
+# Support
+
+For support with this project, please use the following channels:
+
+- **Enterprise Support**:
+- **Community discussions**:
+- **Matrix Chat**:
+- **Documentation**:
+
+Please do not use GitHub issues for general support questions.
diff --git a/agents.md b/agents.md
new file mode 100644
index 0000000..a9a661e
--- /dev/null
+++ b/agents.md
@@ -0,0 +1,111 @@
+# agents.md — ocis
+
+## Repository Overview
+
+This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker
+images (`owncloud/ocis` on Docker Hub, plus the daily `owncloud/ocis-rolling`).
+It does not contain the oCIS source code — it builds oCIS **from source** via a
+multi-stage Dockerfile and ships a minimal Alpine runtime image. Images are
+multi-architecture and built via GitHub Actions.
+
+- **Classification:** Docker image build (from source)
+- **Activity Status:** Active
+- **License:** Apache-2.0
+- **Language:** Dockerfile, Shell
+
+## Architecture & Key Paths
+
+- `v8/` — oCIS 8.x build context
+ - `v8/Dockerfile.multiarch` — three-stage build:
+ - **node-builder** — clones oCIS at `v${VERSION}`, builds the IDP React
+ frontend (`pnpm build`) and pulls the web assets (`make pull-assets`);
+ both are needed at compile time due to `//go:embed`. The `pnpm` step is
+ skipped automatically on newer `master` ("no-npm") commits.
+ - **go-builder** — compiles the oCIS binary with CGO + libvips via the
+ upstream `release-linux-docker-${TARGETARCH}` Makefile target.
+ - **runtime** — minimal Alpine image; runs `apk upgrade` at build time so
+ OS security fixes are picked up immediately.
+ - `v8/.trivyignore` — accepted-CVE exclusions for the Trivy scan
+- `ubuntu-wf/` — helper directory
+- `docs/` — design/spec notes
+- `.github/workflows/main.yml` — **active** CI: builds the release matrix
+- `.github/workflows/rolling.yml` — nightly build tracking oCIS `master`
+- `.github/workflows/lint-pr-title.yml` — Conventional-Commit PR-title enforcement
+- `.github/dependabot.yml` — weekly GitHub Actions dependency updates
+- `.github/CODEOWNERS` — review ownership
+- `.renovaterc.json` — Renovate preset for Docker digest updates
+- `.editorconfig` — formatting rules (2-space indent, LF, trailing newline)
+- `.trivyignore` — repo-root accepted-CVE exclusions
+- `LICENSE` — Apache-2.0
+
+There is **no `CHANGELOG.md`** in this repository.
+
+## Build & CI
+
+The image is built entirely from source. CI (`main.yml`) calls the reusable
+`docker-build-native.yml` workflow hosted in
+[`owncloud-docker/ubuntu`](https://github.com/owncloud-docker/ubuntu):
+
+- Release matrix builds tagged oCIS versions (e.g. `8.0.5` → `8.0`, `8`;
+ `8.1.0-rc.2` exact tag only), plus immutable `-YYYYMMDD` tags.
+- `rolling.yml` resolves oCIS `master` HEAD nightly and publishes
+ `owncloud/ocis-rolling` (`latest`, `YYYYMMDD`, `sha-`). `VERSION` is
+ left empty on purpose so the build derives the version from the git HEAD.
+- Smoke test: poll `https://localhost:9200/status.php` (with `OCIS_INSECURE=true`)
+ and assert `.productversion` matches the built tag.
+- Trivy vulnerability scan (`.trivyignore` + `v8/.trivyignore`).
+- On non-PR events: push to Docker Hub and sync the README as the description.
+
+To build locally:
+
+```bash
+docker buildx build \
+ --build-arg VERSION=8.0.5 \
+ --build-arg REVISION=$(git rev-parse HEAD) \
+ --platform linux/amd64 \
+ -f v8/Dockerfile.multiarch v8/
+```
+
+The image exposes port `9200` and uses volumes `/var/lib/ocis`, `/etc/ocis`.
+
+## Development Conventions
+
+- **No CHANGELOG** — do not create one.
+- Conventional-Commit PR titles, enforced by `lint-pr-title.yml`.
+- `.editorconfig` governs formatting.
+- GitHub Actions are pinned to full commit SHAs.
+- Bug reports for oCIS itself go upstream to
+ [`owncloud/ocis`](https://github.com/owncloud/ocis); this repo tracks only the
+ Docker packaging.
+
+## OSPO Policy Constraints
+
+### GitHub Actions
+- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`),
+ verified on the GitHub Marketplace, or verified by the ownCloud Maintainers.
+- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@ # vX.Y.Z`.
+- Never introduce actions from unverified third parties.
+
+### Dependency Management
+- Dependabot is configured for GitHub Actions updates; Renovate handles Docker
+ base-image digest updates.
+- Review and merge dependency PRs as part of regular maintenance.
+
+### Git Workflow
+- **Rebase policy**: Always rebase; never create merge commits.
+- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S`).
+- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`).
+- **Conventional Commits & Squash Merge**: PR titles must follow
+ [Conventional Commits](https://www.conventionalcommits.org/); the PR title
+ becomes the squash-merge commit message and is enforced by CI.
+
+## Context for AI Agents
+
+- This is a Docker-image build repo that compiles oCIS from source — not the oCIS
+ application codebase.
+- The active build systems are `main.yml` (releases) and `rolling.yml` (nightly
+ master); the rolling build intentionally leaves `VERSION` empty.
+- The README is published verbatim as the Docker Hub image description — keep it
+ accurate and self-contained.
+- License is **Apache-2.0**, which is the OSPO's ecosystem-wide migration target;
+ no relicensing is required.