chore: prepare repository for public release and add branch rulesets

Summary of changes:
- Removed hardcoded private IPs from nginx_example.conf and launch.json.
- Added CONTRIBUTING.md policy to restrict unsolicited Pull Requests.
- Created PULL_REQUEST_TEMPLATE.md for contributor validation.
- Generated GitHub Ruleset JSON files (ruleset_main.json, ruleset_push_limits.json) for branch protection.
- Updated README.md with contributing notice.

Author: Refraggerator

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+<!-- 
+🛑 STOP 🛑
+
+By submitting this pull request, you confirm that you are an APPROVED collaborator on this project. 
+Unsolicited Pull Requests from unauthorized users will be automatically closed without review. 
+For more information, please read the CONTRIBUTING.md file.
+-->
+
+## Description
+<!-- Briefly describe your changes. -->
+
+## Related Issues
+<!-- Link any related issues here. -->
+
+## Contributor Approval
+- [ ] I confirm I am an approved collaborator for this repository.

.github/ruleset_main.json

@@ -0,0 +1,54 @@
+{
+  "name": "Strict Main Branch Protection",
+  "target": "branch",
+  "enforcement": "active",
+  "bypass_actors": [
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "always"
+    }
+  ],
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "~DEFAULT_BRANCH"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "dismiss_stale_reviews_on_push": true,
+        "require_code_owner_review": false,
+        "require_last_push_approval": true,
+        "required_approving_review_count": 1,
+        "required_review_thread_resolution": true
+      }
+    },
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "strict_required_status_checks_policy": true,
+        "required_status_checks": [
+          {
+            "context": "flutter_tests",
+            "integration_id": 15368
+          },
+          {
+            "context": "go_tests",
+            "integration_id": 15368
+          }
+        ]
+      }
+    }
+  ]
+}

.github/ruleset_push_limits.json

@@ -0,0 +1,28 @@
+{
+  "name": "Limit large pushes & strict email via Push Rules",
+  "target": "push",
+  "enforcement": "active",
+  "bypass_actors": [
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "always"
+    }
+  ],
+  "conditions": {},
+  "rules": [
+    {
+      "type": "commit_author_email_pattern",
+      "parameters": {
+        "operator": "ends_with",
+        "pattern": "@users.noreply.github.com"
+      }
+    },
+    {
+      "type": "file_path_length",
+      "parameters": {
+        "max_file_path_length": 256
+      }
+    }
+  ]
+}

.vscode/launch.json

@@ -57,7 +57,7 @@
             "id": "androidDeviceId",
             "type": "promptString",
             "description": "Android device IP:port — press Enter to reuse, or type a new address to change the default",
-            "default": "10.10.0.109:39509"
+            "default": "192.168.1.xxx:5555"
         }
     ]
 }

CONTRIBUTING.md

@@ -0,0 +1,13 @@
+# Contributing
+
+**Please read before submitting a Pull Request!**
+
+This project is currently developed as a closed contribution repository. While the source code is public for educational purposes and transparency, we do **not** accept unsolicited Pull Requests at this time.
+
+## Policy
+
+- **Only pre-approved collaborators** are allowed to submit Pull Requests.
+- Unapproved Pull Requests will be automatically flagged and **closed without review**.
+- If you would like to report a bug or request a feature, please do so by creating an **Issue** rather than a Pull Request.
+
+Thank you for your understanding and for taking the time to explore this project!

README.md

@@ -150,3 +150,8 @@ dart analyze lib
   (warning: deletes all data).
 - **Linux build errors:** Use manually installed Flutter (not Snap).
   Install: `sudo apt-get install clang cmake ninja-build pkg-config libgtk-3-dev liblzma-dev`
+
+## Contributing
+
+Currently, this repository is open for public viewing and learning, but **closed to public contributions**. Only selected and approved contributors may submit Pull Requests. Please see the [CONTRIBUTING.md](CONTRIBUTING.md) for more details.
+

nginx_example.conf

@@ -38,7 +38,7 @@ server {
 
     # --- Synapse Client-Server + Federation API ---
     location /_matrix/ {
-        proxy_pass http://10.10.0.52:8008;
+        proxy_pass http://127.0.0.1:8008;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -51,7 +51,7 @@ server {
 
     # --- Synapse Sync endpoint (long-polling, needs long timeout) ---
     location /_matrix/client/v3/sync {
-        proxy_pass http://10.10.0.52:8008;
+        proxy_pass http://127.0.0.1:8008;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -62,7 +62,7 @@ server {
 
     # --- Synapse Media API ---
     location /_matrix/media/ {
-        proxy_pass http://10.10.0.52:8008;
+        proxy_pass http://127.0.0.1:8008;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -72,7 +72,7 @@ server {
 
     # --- Concord Application Service API (invite codes, LiveKit tokens) ---
     location /api/ {
-        proxy_pass http://10.10.0.52:3000;
+        proxy_pass http://127.0.0.1:3000;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -81,7 +81,7 @@ server {
 
     # --- Element Call (web-based group calls) ---
     location /call/ {
-        proxy_pass http://10.10.0.52:8090/;
+        proxy_pass http://127.0.0.1:8090/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -103,7 +103,7 @@ server {
     server_tokens off;
 
     location / {
-        proxy_pass http://10.10.0.52:8008;
+        proxy_pass http://127.0.0.1:8008;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -128,7 +128,7 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
 
     location / {
-        proxy_pass http://10.10.0.52:7880;
+        proxy_pass http://127.0.0.1:7880;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -158,7 +158,7 @@ server {
         allow 10.10.0.0/24;
         deny all;
 
-        proxy_pass http://10.10.0.52:9001;
+        proxy_pass http://127.0.0.1:9001;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;