Prepare the admin template for open-source reuse

.env.example

@@ -0,0 +1,8 @@
+# API mode. Use "mock" for local demos and "http" for a real backend.
+NEXT_PUBLIC_API_MODE=mock
+
+# Required when NEXT_PUBLIC_API_MODE=http.
+NEXT_PUBLIC_API_BASE_URL=https://api.example.com
+
+# Default HTTP timeout in milliseconds. Set to 0 only when callers provide AbortSignal.
+NEXT_PUBLIC_API_TIMEOUT_MS=15000

CHANGELOG.md

@@ -0,0 +1,19 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## 0.1.0 - 2026-06-08
+
+### Added
+
+- Next.js App Router admin shell with login, dashboard, global search, sidebar navigation, and account profile.
+- Mock and HTTP API adapter boundary with normalized errors, request IDs, timeout handling, and session-expiry routing.
+- RBAC primitives for routes, buttons, action permissions, and role data scopes.
+- CRUD patterns for users, roles, menus, notifications, sessions, settings, and audit logs.
+- System health page for runtime mode, backend readiness, version, and operational indicators.
+- Source-level smoke suites for i18n, auth, API contracts, permissions, CRUD, audit, accessibility, production readiness, and template hardening.
+- GitHub Actions CI using `npm run verify`.
+
+### Security
+
+- Documented backend authorization requirements and known dependency advisory handling.

CODE_OF_CONDUCT.md

@@ -0,0 +1,31 @@
+# Code of Conduct
+
+WeBase follows the Contributor Covenant Code of Conduct, version 2.1.
+
+## Our pledge
+
+We pledge to make participation in this project a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
+
+## Our standards
+
+Examples of behavior that contributes to a positive environment:
+
+- using welcoming and inclusive language
+- being respectful of differing viewpoints and experiences
+- gracefully accepting constructive feedback
+- focusing on what is best for the community
+- showing empathy toward other community members
+
+Examples of unacceptable behavior:
+
+- sexualized language or imagery
+- insulting or derogatory comments
+- public or private harassment
+- publishing others' private information without permission
+- other conduct that could reasonably be considered inappropriate in a professional setting
+
+## Enforcement
+
+Project maintainers may remove, edit, or reject comments, commits, code, issues, and other contributions that do not align with this Code of Conduct. Maintainers may also temporarily or permanently ban contributors for behavior they deem inappropriate, threatening, offensive, or harmful.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported through the project's security or maintainer contact channels.

CONTRIBUTING.md

@@ -0,0 +1,36 @@
+# Contributing
+
+Thanks for helping improve WeBase Admin Template.
+
+## Local setup
+
+```bash
+npm ci
+cp .env.example .env.local
+npm run dev
+```
+
+Use mock mode for most UI and template work. Use HTTP mode only when validating a real backend contract.
+
+## Before opening a pull request
+
+Run the full verification gate:
+
+```bash
+npm run verify
+```
+
+For feature modules, also update the relevant source-level smoke script or add a focused script under `scripts/`.
+
+## Development expectations
+
+- Keep route metadata in `src/lib/navigation/route-registry.ts`.
+- Keep permission keys in `src/lib/auth/permissions.ts`.
+- Call feature services from pages and components instead of importing adapters directly.
+- Treat frontend RBAC as a UI convenience only; backend authorization remains mandatory in production.
+- Keep mock data deterministic so demos and smoke scripts stay stable.
+- Avoid new dependencies unless they materially reduce risk or complexity.
+
+## Commit messages
+
+Use clear, decision-oriented commit messages. Include verification evidence in the body when a change affects behavior, release readiness, auth, permissions, or API contracts.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 WeOpen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -2,6 +2,16 @@
 
 WeBase Admin Template is an independent Next.js App Router admin scaffold for building operational management consoles. It includes a polished dark-first login experience, an admin shell, dashboard metrics, local mock CRUD flows, role/menu governance, global search, and system settings.
 
+## Quick start
+
+```bash
+npm ci
+cp .env.example .env.local
+npm run dev
+```
+
+Open `http://localhost:3000`, then sign in with the mock credentials below.
+
 ## Tech stack
 
 - Next.js 16 App Router
@@ -40,6 +50,16 @@ The login form is prefilled with demo credentials:
 
 The current mock adapter accepts the displayed `admin / admin123` credentials, then returns a local demo session. HTTP mode delegates credential validation to the backend.
 
+## Environment variables
+
+Copy `.env.example` to `.env.local` and adjust as needed:
+
+| Variable | Purpose |
+| --- | --- |
+| `NEXT_PUBLIC_API_MODE` | `mock` for local demos, `http` for a real backend |
+| `NEXT_PUBLIC_API_BASE_URL` | Backend base URL when HTTP mode is enabled |
+| `NEXT_PUBLIC_API_TIMEOUT_MS` | Default HTTP timeout in milliseconds |
+
 ## Development commands
 
 ```bash
@@ -70,15 +90,31 @@ npm run verify
 
 Then open `/system/health` to confirm API mode, backend/mock status, frontend version, build target, and operational indicators.
 
+## Production security boundary
+
+Frontend RBAC, route guards, mock sessions, and permission-aware UI controls are template conveniences. A production backend must enforce authentication, authorization, data-scope checks, session expiry, audit logging, CSRF protection where applicable, and rate limiting. Do not treat hidden buttons or client route redirects as security controls.
+
+## Dependency audit note
+
+PostCSS is pinned through npm `overrides` so transitive consumers use a patched release. Track upstream Next.js releases and remove the override once Next depends on a patched PostCSS version directly.
+
 ## Template extension docs
 
 - [Add an admin module](docs/add-admin-module.md)
 - [API adapter guide](docs/api-adapter.md)
 - [Permissions and RBAC](docs/permissions.md)
+- [Contributing](CONTRIBUTING.md)
+- [Security policy](SECURITY.md)
+- [Code of conduct](CODE_OF_CONDUCT.md)
+- [Changelog](CHANGELOG.md)
 - [Admin template hardening plan](docs/plans/2026-06-05-admin-template-hardening.md)
 
 ## API adapter note
 
 The app is wired through `src/lib/api/client.ts`, which delegates to the in-memory mock adapter in `src/lib/api/mock-adapter.ts` by default and can switch to `src/lib/api/http-adapter.ts` with `NEXT_PUBLIC_API_MODE=http`. Feature services under `src/lib/services/` call this client instead of importing mock data directly, so replacing the mock layer with real HTTP requests should be limited to the API client/adapter boundary while preserving service contracts.
 
 Mock data is stored in memory in `src/lib/api/mock-data.ts`; create, update, and delete interactions are for the current browser session only and are not persisted.
+
+## License
+
+MIT

SECURITY.md

@@ -0,0 +1,33 @@
+# Security Policy
+
+## Supported versions
+
+Security updates target the latest `main` branch and the latest tagged release.
+
+## Reporting a vulnerability
+
+Please report suspected vulnerabilities through GitHub Security Advisories or by opening a private report with the maintainers. Do not disclose exploitable details in public issues before maintainers have had a chance to investigate.
+
+Include:
+
+- affected version or commit
+- reproduction steps
+- expected and actual behavior
+- impact assessment
+- any known workaround
+
+## Production security boundary
+
+WeBase Admin Template includes frontend route guards, permission guards, mock sessions, and HTTP adapter contracts. These are template conveniences, not a replacement for backend security.
+
+Production deployments must enforce authentication, authorization, data-scope checks, audit logging, session expiry, CSRF protection where applicable, and rate limiting on the backend.
+
+## Dependency advisories
+
+Run:
+
+```bash
+npm audit --omit=dev
+```
+
+The project pins PostCSS through npm `overrides` so transitive consumers use a patched release. Track upstream Next.js releases and remove the override once Next depends on a patched PostCSS version directly.

package.json

@@ -1,7 +1,29 @@
 {
   "name": "webase-admin-template",
   "version": "0.1.0",
-  "private": true,
+  "description": "A production-ready Next.js admin template for generic management consoles.",
+  "license": "MIT",
+  "homepage": "https://github.com/WeOpen/WeBase#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/WeOpen/WeBase.git"
+  },
+  "bugs": {
+    "url": "https://github.com/WeOpen/WeBase/issues"
+  },
+  "keywords": [
+    "admin",
+    "dashboard",
+    "management-console",
+    "nextjs",
+    "react",
+    "typescript",
+    "rbac",
+    "template"
+  ],
+  "overrides": {
+    "postcss": "8.5.15"
+  },
   "scripts": {
     "dev": "next dev",
     "build": "next build",