Public release checklist
Use this checklist before making a Bestie repository public.
Must do
Section titled “Must do”- Decide canonical repo name and package name. Prefer
bestie; avoid legacyai-bestieunless intentionally kept for migration. - Add
LICENSE. - Add public quickstart README.
- Add
CONTRIBUTING.md. - Add
SECURITY.md. - Add
CODE_OF_CONDUCT.md. - Add issue templates.
- Add pull request template.
- Add CI workflow.
- Add Dependabot config.
- Add
.env.examplewith empty values only. - Ensure
.gitignoreexcludes.bestie/,.env*, logs, databases, build outputs, andnode_modules/. - Remove raw vendor notes, scraped docs, private planning notes, and local transcripts.
- Run a secret scan before first push.
- Run
npm ci,npm run build, andnpm testfrom a clean checkout.
Should do
Section titled “Should do”- Add
CHANGELOG.md. - Add
CODEOWNERSonce maintainers are defined. - Enable GitHub secret scanning and push protection.
- Enable Dependabot alerts and security updates.
- Enable private vulnerability reporting.
- Enable branch protection for
main. - Create labels:
bug,docs,good first issue,help wanted,security,privacy,telegram,memory,provider,mcp. - Create 3-5 good first issues before announcing publicly.
Nice later
Section titled “Nice later”- CodeQL workflow.
- Release workflow.
- npm publish workflow.
- Docs site.
- Community discussions.
- Project board.
Pre-public scan commands
Section titled “Pre-public scan commands”git status --shortgit ls-files | rg '(^\.bestie/|\.env$|\.env\.|\.pem$|\.key$|\.sqlite$|\.db$|\.log$|raw|transcript)'rg -n "(API_KEY|TOKEN|SECRET|PASSWORD|BEGIN (RSA|OPENSSH|PRIVATE)|sk-[A-Za-z0-9]|xox[baprs]-|ghp_|github_pat_|AIza)" -g '!node_modules' -g '!dist' -g '!package-lock.json'npm cinpm run buildnpm testSecret scans often catch placeholder names. Review hits manually and remove anything real.
Repository settings
Section titled “Repository settings”Recommended public repo description:
Self-hosted AI companion CLI with local-first memory, Telegram support, and safety-minded tool permissions.Recommended topics:
ai, cli, typescript, telegram-bot, local-first, llm, openai-compatible, privacy, mcpEnable:
- Issues
- Dependabot alerts
- Dependabot security updates
- Secret scanning
- Push protection
- Private vulnerability reporting
- Code scanning with CodeQL
Branch protection for main should require PR review, resolved conversations, passing status checks, block force pushes, and block branch deletion.