docs(ospo): community health rollout v2 — README, agents.md, health files

[dj4oC]

Summary

This PR is part of the Kiteworks OSPO community health rollout (kiteworks.com/opensource), applied to all ~110 public ownCloud repositories starting May 5, 2026.

• README.md: Rewritten with v2 OSPO template
  • License-specific OSPO section with Apache 2.0 migration guidance
  • Mandatory Community & Support section: GitHub Discussions, Matrix, docs, enterprise support, OSPO home
  • Contributing workflow: Rebase Early/Often, Dependabot, PGP/GPG-signed commits, DCO sign-off, GitHub Actions policy
  • Security section pointing to security.owncloud.com + YesWeHack bug bounty
  • Translations link to Transifex (owncloud project)
• agents.md (new): AI agent context file with architecture, build commands, OSPO policy constraints
• CODE_OF_CONDUCT.md (new): Redirect to https://owncloud.com/contribute/code-of-conduct/
• CONTRIBUTING.md (new): Redirect to https://owncloud.com/contribute/
• SECURITY.md (new): Redirect to https://security.owncloud.com + YesWeHack
• SUPPORT.md (new): Redirect to https://owncloud.com/contact-us/ and support channels

Test plan

• README renders correctly on GitHub (badges, sections, links)
• All health file links resolve (CODE_OF_CONDUCT, CONTRIBUTING, SECURITY, SUPPORT)
• agents.md loads correctly in Claude Code and GitHub Copilot
• License referenced in README matches actual LICENSE file in repo

---

🤖 Generated with Claude Code as part of the ownCloud OSPO rollout.
Kiteworks OSPO: https://kiteworks.com/opensource

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This PR rolls out the Kiteworks OSPO community-health template to owncloud/docs-server: it rewrites README.md and adds agents.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, and SUPPORT.md. The change is documentation-only and generally well structured. I verified the diff against the actual repository state (master) and checked every external link.

Good things confirmed:

• LICENSE matches: the README/agents.md state AGPL-3.0 and the repo LICENSE is genuinely GNU AGPL v3. The "current vs target license" framing is accurate and appropriately cautious.
• All external links resolve (HTTP 200): code-of-conduct, contribute, security.owncloud.com, YesWeHack, doc.owncloud.com, org discussions, Transifex, Matrix, and kiteworks.com/opensource.
• Internal links exist: ./docs/the-branching-workflow.md and ./docs/new-version-branch.md both exist; CONTRIBUTING.md/CODE_OF_CONDUCT.md/SECURITY.md are added in the same PR.
• Build/test claims are correct: npm run antora, npm run antora-local, npm run serve, and npm run linkcheck all exist in package.json; broken-link-checker and http-server are real devDependencies. Dependabot (.github/dependabot.yml) is indeed configured. The GitHub Actions SHA-pinning policy already matches reality (lint-pr-title.yml pins amannn/action-semantic-pull-request to a full SHA).

Code quality / style

Clean, consistent Markdown. Sections are well organized and the OSPO/license-migration block is clearly worded. Mixed link styles (<https://...> autolinks vs bare URLs in SUPPORT.md) are cosmetic only.

Specific suggestions

1. Regression: README no longer documents the Conventional Commits / PR-title requirement. The old README opened with a prominent notice that the repo "uses Conventional Commits for commits and the Pull Request title." This repo actively enforces that via .github/workflows/lint-pr-title.yml (action-semantic-pull-request), so a PR with a non-conventional title will fail CI. The rewritten README drops this entirely — it only survives inside agents.md. Please re-add a Conventional Commits note to the README Contributing/Workflow section so human contributors aren't surprised by a failing check.

2. agents.md "Primary language(s): JavaScript" is inaccurate. This is an AsciiDoc documentation component — ~353 .adoc source files vs ~8 .js files (build tooling only). Listing JavaScript as the primary language is misleading for an AI agent; consider "AsciiDoc (content); JavaScript (Antora build tooling)".

3. Filename casing: agents.md vs AGENTS.md. The emerging cross-tool convention (and what several agents auto-discover) is uppercase AGENTS.md. Lowercase may not be picked up automatically. Recommend renaming to AGENTS.md for the rollout to be effective.

4. Duplication with existing CLAUDE.md. The repo already contains a CLAUDE.md. Adding a parallel agents.md risks divergence over time. Consider whether CLAUDE.md should point to (or be consolidated with) the new agents.md so guidance stays single-sourced.

5. Getting Started sequence is slightly redundant. npm run antora-local already produces the build into public/, and npm run serve (http-server on default :8080) serves it. The instructions are correct, but a one-line note that serve hosts the output of the previous build (rather than a separate dev server) would prevent confusion.

Potential issues / risks

• Low risk overall — documentation only, no code or CI behavior changes.
• The only substantive correctness issue is suggestion (1): silently removing the documented Conventional Commits requirement while CI still enforces it can cause confusing PR failures for contributors. Worth fixing before merge.
• The ## Test plan checklist in the PR description is still unchecked; in particular "agents.md loads correctly in Claude Code and GitHub Copilot" interacts with suggestion (3) — verify discovery actually works with the lowercase filename, and note Copilot reads .github/copilot-instructions.md rather than agents.md.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is the OSPO community health rollout v2 PR for owncloud/docs-server. It rewrites README.md with the v2 OSPO template and adds five community-health files: agents.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, SUPPORT.md. Net +189 / -22 across 6 files, targeting master.

This PR was reviewed at an earlier commit and now carries new commits (HEAD 5bb940a, 2 commits on the branch). The notes below reflect the current state and re-check the three issues flagged previously.

Verification against the repo (HEAD): LICENSE is genuinely AGPL-3.0 (README badge + License section correct), package.json contains antora, antora-local, serve, and linkcheck scripts (all referenced commands resolve), and antora.yml, site.yml, modules/, ext-antora/, ext-asciidoc/, global-attributes.yml, docs/the-branching-workflow.md, docs/new-version-branch.md all exist (paths valid).

Code quality / style

• The README is well structured and renders cleanly; section ordering and links are sensible.
• Redirect-style health files (CODE_OF_CONDUCT / CONTRIBUTING / SECURITY / SUPPORT) are concise and consistent.
• Minor inconsistency: SUPPORT.md and agents.md mix bare URLs (https://github.com/orgs/owncloud/discussions) with angle-bracket autolinks (<https://...>) used elsewhere — cosmetic.

Re-check of previously flagged issues

1. README drops the Conventional Commits notice that CI still enforces — NOT fixed (in README).
   The old README stated the repo uses Conventional Commits for the PR title. The v2 README removes this entirely. Confirmed .github/workflows/lint-pr-title.yml still runs amannn/action-semantic-pull-request@... on pull_request, i.e. Conventional-Commit PR titles are still enforced. Contributors reading only the README will hit a failing required check with no in-repo explanation. Partial mitigation: agents.md now documents the Conventional Commits + squash-merge requirement, but human contributors typically read the README, not agents.md. Recommend restoring a short "PR titles must follow Conventional Commits (enforced by CI)" line under README -> Contributing -> Workflow.

2. agents.md mislabels the primary language as JavaScript — NOT fixed.
   agents.md still says Primary language(s): JavaScript. This is a documentation content repo: modules/ contains AsciiDoc (admin_manual, developer_manual, classic_ui, ...) and the source is overwhelmingly .adoc. JavaScript only appears in the Antora build tooling. This is misleading context for AI agents (and the stated Test framework: broken-link-checker is a link checker, not a test framework). Recommend Primary language(s): AsciiDoc (docs content); JavaScript (Antora build tooling).

3. Lowercase agents.md vs AGENTS.md + duplication of existing CLAUDE.md — NOT fixed.
   The file is still committed as lowercase agents.md. The emerging cross-tool convention is uppercase AGENTS.md; on case-sensitive filesystems tools looking for AGENTS.md will miss it. Separately, the repo already contains a CLAUDE.md that covers the same ground (Antora overview, npm install / npm run antora commands, DCO). The new agents.md largely duplicates it, creating two agent-context files that can drift apart. Recommend either renaming to AGENTS.md and having CLAUDE.md point to it (single source of truth), or consolidating.

Specific suggestions

• README "Getting Started" lists npm run serve (serves public/) but never runs a build that populates public/ — npm run antora-local does the build. Either reorder so antora-local precedes serve, or note that serve requires a prior build. As written, a fresh clone running the three commands serves an empty directory.
• agents.md GitHub Actions policy says only owncloud-owned / actions/* / Marketplace-verified actions are allowed. The repo's own lint-pr-title.yml uses amannn/action-semantic-pull-request (third-party, though SHA-pinned and Marketplace-verified) — worth confirming this falls under the "verified Marketplace" carve-out so the policy doesn't appear self-violating.
• The README "License Migration to Apache 2.0" section is long and forward-looking for a docs repo; it correctly notes AGPL-3.0 is current and Category-X. Fine to keep, but it dominates the README relative to the repo's actual purpose.

Potential issues / risks

• Contributor friction (highest impact): the missing Conventional-Commits guidance in README vs. an enforcing required CI check is a real UX regression — first-time contributors get a red check with no in-repo hint. Worth fixing before merge.
• Link risk: https://security.owncloud.com, the YesWeHack program URL, and the Matrix app.element.io deep link were not load-verified here; the test-plan checkbox for link resolution is still unchecked — confirm before merge.
• Low risk: redirect health files duplicate URLs that may change; acceptable for the rollout's consistency goals.

Overall: the factual claims that can be checked against the repo (license, paths, build scripts) are accurate. The three previously-flagged issues remain substantively unaddressed in the canonical locations (README + filename/language). Recommend addressing #1 (Conventional Commits in README) and #2 (language label) before merge; #3 (filename/dedup) is a convention cleanup.