docs: add contributor guidance, security policy improvements and GitHub templates

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,24 @@
+---
+name: Bug Report
+about: Report a bug
+---
+
+## Description
+
+## Steps To Reproduce
+
+## Expected Behavior
+
+## Actual Behavior
+
+## Environment
+
+- Browser:
+- OS:
+
+## Affected Area
+
+- [ ] Frontend
+- [ ] Backend
+- [ ] Stellar
+- [ ] Payments

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,6 @@
 blank_issues_enabled: false
+
 contact_links:
-  - name: Security vulnerability report
-    url: https://github.com/Obiajulu-gif/chain_move/security/policy
-    about: Please report sensitive security issues privately instead of opening public issues.
+  - name: Security Report
+    about: Report security vulnerabilities privately
+    url: mailto:security@chainmove.xyz

.github/ISSUE_TEMPLATE/documentation.md

@@ -0,0 +1,10 @@
+---
+name: Documentation
+about: Documentation improvements
+---
+
+## Section
+
+## Current Problem
+
+## Proposed Update

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,12 @@
+---
+name: Feature Request
+about: Suggest a new feature
+---
+
+## Problem
+
+## Proposed Solution
+
+## Alternatives
+
+## Additional Context

.github/ISSUE_TEMPLATE/stellar_integration.md

@@ -0,0 +1,18 @@
+---
+name: Stellar Integration
+about: Stellar-related improvement
+---
+
+## Component
+
+- Wallet
+- Asset
+- Horizon
+- Soroban
+- RPC
+
+## Proposal
+
+## Expected Outcome
+
+## Security Considerations

.github/pull_request_template.md

@@ -1,44 +1,36 @@
 ## Summary
 
-What changed?
+Describe your changes.
 
-## Area changed
+## Related Issue
 
-Check all that apply:
+Closes #
 
-- [ ] Frontend / UI
-- [ ] Backend / API routes
-- [ ] Auth / Privy
-- [ ] Payments / Paystack
-- [ ] Email / Resend
-- [ ] Stellar / Soroban
-- [ ] MongoDB models
+## Affected Areas
+
+- [ ] Frontend
+- [ ] Backend
+- [ ] Authentication
+- [ ] Payments
+- [ ] Stellar
 - [ ] Documentation
 - [ ] Tests
-- [ ] Security
-
-## Contributor safety checklist
-
-- [ ] I did not commit `.env.local` or real secrets.
-- [ ] I did not expose server-only variables in client-side code.
-- [ ] I used mock mode or my own sandbox/test credentials.
-- [ ] I did not add deployment steps for contributor PRs.
-- [ ] I did not add maintainer-only credentials.
-
-## Testing
+- [ ] UI/UX
 
-Commands run:
+## Checklist
 
-```bash
-npm run lint
-npx tsc --noEmit
-npm run build
-```
+- [ ] Code follows project conventions
+- [ ] npm run lint passes
+- [ ] npm run build passes
+- [ ] Tests updated where needed
+- [ ] No secrets committed
+- [ ] No production credentials used
+- [ ] Documentation updated if required
 
-## Screenshots / demo
+## Screenshots
 
-Add screenshots or screen recordings for UI changes.
+If applicable.
 
-## Notes for maintainers
+## Additional Notes
 
-Mention anything that needs special review, migration, or follow-up.
+Optional.

CONTRIBUTING.md

@@ -94,3 +94,67 @@ Avoid reintroducing stale Lisk, EVM, Solana, or Thirdweb assumptions unless the
 ## Security-sensitive changes
 
 Open a small PR and explain the risk being fixed. Security-sensitive areas include session handling, Privy token verification, Paystack webhooks, KYC upload/encryption, Stellar signing, admin permissions, and database access controls.
+
+## Environment Setup
+
+1. Copy the example environment file:
+
+```bash
+cp .env.example .env.local
+```
+Populate only your local development values.
+Never request production credentials from maintainers.
+Never commit:
+.env.local
+API keys
+JWT secrets
+database credentials
+Stellar private keys
+
+---
+
+## Mock Development
+
+Contributors should use mock mode whenever possible.
+
+Do not depend on production services for feature development.
+
+Use local test data and development configurations.
+
+---
+
+## Pull Request Guidelines
+
+Keep pull requests focused.
+
+Good examples:
+
+- Wallet UI improvements
+- Documentation updates
+- Authentication fixes
+- Stellar integration enhancements
+
+Avoid combining unrelated changes.
+
+Before opening a PR run:
+
+```bash
+npm run lint
+npm run build
+```
+
+---
+
+## Affected Areas
+
+When opening a PR specify:
+
+- Frontend
+- Backend
+- Authentication
+- Payments
+- Stellar
+- Documentation
+- Tests
+- UI/UX
+

SECURITY.md

@@ -57,3 +57,41 @@ Request maintainer review when touching:
 - Add tests for Paystack webhook signature validation.
 - Add tests for Privy token validation and role selection.
 - Add a secret scanning checklist to PR review.
+
+## Reporting Vulnerabilities
+
+Please do not create public GitHub issues for security vulnerabilities.
+
+Report vulnerabilities privately to the maintainers.
+
+Include:
+
+- Description
+- Impact
+- Reproduction steps
+- Suggested remediation
+
+## Sensitive Information
+
+Never expose:
+
+- Production API keys
+- JWT secrets
+- Database credentials
+- Payment provider secrets
+- Stellar private keys
+
+## Stellar Security
+
+Stellar private keys must:
+
+- Never be committed
+- Never be stored in frontend source code
+- Never be embedded in client bundles
+- Never appear in screenshots or examples
+
+Use environment variables for all secrets.
+
+## Responsible Disclosure
+
+Allow maintainers reasonable time to investigate and remediate before public disclosure.