fix: correct license to CC-BY-NC-ND-4.0 and complete ecosystem standard files

The initial v0.1.0 release shipped with an MIT LICENSE, which conflicts
with the ecosystem-wide CC-BY-NC-ND-4.0 convention applied by every other
tool repo (Plaid, Home-Lab, CFX). Replace LICENSE with the canonical
CC-BY-NC-ND-4.0 text, copyright "TM Hospitality Strategies" matching the
rest of the ecosystem.

Also add the three standard ecosystem files that were not in the v0.1.0
population prompt:

- CONTRIBUTING.md: setup, structure, how to add skills/rules/snippets/
  templates, standards-version markers, aggregate counts contract,
  conventional commits.
- SECURITY.md: vulnerability disclosure via private security advisory,
  supported versions, response timeline, scope tailored to a content
  repo (insecure snippets, over-broad manifest permissions, unsanitized
  headless subprocess calls).
- CODE_OF_CONDUCT.md: Contributor Covenant 2.1, with the security
  advisory URL adjusted for this repo.

Made-with: Cursor

Author: TMHSDigital

CODE_OF_CONDUCT.md

@@ -0,0 +1,118 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project maintainers via a
+[private security advisory](https://github.com/TMHSDigital/Blender-Developer-Tools/security/advisories/new)
+on GitHub. Do not use public issues for Code of Conduct reports.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/),
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html](https://www.contributor-covenant.org/version/2/1/code_of_conduct.html).

CONTRIBUTING.md

@@ -0,0 +1,124 @@
+# Contributing to Blender Developer Tools
+
+Thanks for helping improve this repository. This document describes how to set up locally, extend skills, rules, snippets, and the template, and submit changes.
+
+## Getting Started
+
+1. **Fork** the repository on GitHub.
+2. **Clone** your fork:
+
+   ```bash
+   git clone https://github.com/<your-username>/Blender-Developer-Tools.git
+   cd Blender-Developer-Tools
+   ```
+
+3. **Create a branch** for your work:
+
+   ```bash
+   git checkout -b your-feature-name
+   ```
+
+## Repository Structure
+
+This repo is a content collection (skills, rules, snippets, and one template) for Blender Python development. There is no runtime, no MCP server, and no test runner; CI validates frontmatter, syntax, and aggregate counts.
+
+```text
+skills/
+  <skill-name-kebab>/
+    SKILL.md
+rules/
+  <rule-name>.mdc
+snippets/
+  <snippet-name>.py
+templates/
+  <template-name>/
+    blender_manifest.toml
+    __init__.py
+    README.md
+```
+
+- **`skills/`** - one directory per skill, each containing `SKILL.md` with YAML frontmatter (`name`, `description`, `standards-version`).
+- **`rules/`** - Cursor-style rules as `.mdc` files with YAML frontmatter (`description`, `alwaysApply`, `globs`, `standards-version`).
+- **`snippets/`** - small standalone `.py` files (5 to 30 lines) demonstrating a single canonical pattern.
+- **`templates/`** - copy-paste starting points; one directory per template.
+
+## Adding a Skill
+
+1. Add a **kebab-case** directory under `skills/`, e.g. `skills/procedural-materials/`.
+2. Create **`SKILL.md`** with YAML frontmatter:
+
+   ```yaml
+   ---
+   name: procedural-materials
+   description: One-line description, under 200 chars.
+   standards-version: <current meta-repo VERSION>
+   ---
+   ```
+
+3. Aim for 150 to 350 lines covering the canonical pattern, common AI mistakes, version-correctness notes, and one or two worked code examples. Cite Blender API doc URLs where relevant. Avoid encyclopedic API tours.
+4. The skill `name` in frontmatter must match the directory name exactly (CI enforces this).
+
+## Adding a Rule
+
+1. Add a **`.mdc`** file under `rules/`, e.g. `rules/avoid-python-loops-on-vertices.mdc`.
+2. Start with YAML **frontmatter**:
+
+   ```yaml
+   ---
+   description: One-line summary for humans and tooling.
+   alwaysApply: true
+   globs:
+     - "**/*.py"
+   standards-version: <current meta-repo VERSION>
+   ---
+   ```
+
+3. Write 30 to 80 lines: the anti-pattern, a code example showing it wrong, a code example showing it right, and a short "Why it matters" section.
+
+## Adding a Snippet
+
+1. Add a `.py` file under `snippets/`, e.g. `snippets/depsgraph-evaluated-mesh.py`.
+2. Keep it 5 to 30 lines, fully working code, with a header comment naming the snippet and citing the relevant Blender doc URL or research section.
+3. Snippets are validated for Python syntax in CI.
+
+## Adding a Template
+
+1. Add a directory under `templates/`, e.g. `templates/headless-batch-script-template/`.
+2. Include all files needed for an immediate copy-paste starting point. For add-on templates, include `blender_manifest.toml`, `__init__.py`, and a brief `README.md`.
+
+## Blender Version Targeting
+
+Content targets **Blender 5.1** as primary, with **Blender 4.5 LTS** as fallback. When the API differs, branch on `bpy.app.version` and document both paths. Example:
+
+```python
+if bpy.app.version >= (5, 0, 0):
+    # 5.x path
+    ...
+else:
+    # 4.5 LTS path
+    ...
+```
+
+## Standards-version Markers
+
+Files that participate in ecosystem drift checking must carry a `standards-version` marker matching the current meta-repo `VERSION`:
+
+- `AGENTS.md`, `CLAUDE.md`, `ROADMAP.md`: HTML comment first line, e.g. `<!-- standards-version: 1.9.1 -->`.
+- `skills/*/SKILL.md`, `rules/*.mdc`: YAML frontmatter field `standards-version: 1.9.1`.
+
+The drift-check workflow enforces these on every push and PR.
+
+## Aggregate Counts
+
+`README.md` declares aggregate counts (e.g. "8 skills, 4 rules, 1 template, and 10 snippets"). The `validate-counts` job in `.github/workflows/validate.yml` enforces these substrings against the filesystem on every push and PR. When you add or remove content, update the README counts in the same commit.
+
+## Pull Request Process
+
+1. **Update docs** if you change skill or rule lists, content counts, or versioning (`README.md`, `CLAUDE.md`, `ROADMAP.md` as appropriate). The release workflow rewrites `CHANGELOG.md`, `CLAUDE.md` `**Version:**` line, and `ROADMAP.md` `**Current:**` line automatically when a `feat:` or `fix:` commit lands on `main`, so only edit those files for content beyond the version markers.
+2. **Open a PR** against `main` with a clear title and summary of changes.
+3. **Use Conventional Commits** for the PR title (and ideally the merge commit). Prefixes: `feat:` (minor bump), `fix:` (patch bump), `feat!:` or `BREAKING CHANGE` (major bump), `chore:` / `docs:` / `refactor:` (no release).
+4. **Respond to review** feedback; CI must pass before merge.
+
+## Code of Conduct
+
+This project follows the guidelines in [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md). By participating, you agree to uphold them.

LICENSE

@@ -1,21 +1,34 @@
-MIT License
-
-Copyright (c) 2026 TMHSDigital
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
+
+Copyright (c) 2026 TM Hospitality Strategies
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivatives 4.0 International License.
+
+You are free to:
+
+  Share - copy and redistribute the material in any medium or format.
+
+The licensor cannot revoke these freedoms as long as you follow the
+license terms.
+
+Under the following terms:
+
+  Attribution - You must give appropriate credit, provide a link to the
+  license, and indicate if changes were made. You may do so in any
+  reasonable manner, but not in any way that suggests the licensor
+  endorses you or your use.
+
+  NonCommercial - You may not use the material for commercial purposes.
+
+  NoDerivatives - If you remix, transform, or build upon the material,
+  you may not distribute the modified material.
+
+  No additional restrictions - You may not apply legal terms or
+  technological measures that legally restrict others from doing
+  anything the license permits.
+
+Full license text:
+https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode
+
+SPDX-License-Identifier: CC-BY-NC-ND-4.0

SECURITY.md

@@ -0,0 +1,36 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security issue in this repository (e.g., a snippet that demonstrates an unsafe pattern, a template that ships an over-broad permission set, or a skill that recommends an insecure practice), please report it responsibly.
+
+**Report:** Open a [private security advisory](https://github.com/TMHSDigital/Blender-Developer-Tools/security/advisories/new) on GitHub.
+
+Please include:
+
+- Description of the vulnerability
+- Steps to reproduce
+- Which skill, rule, snippet, or template is affected
+- Any suggested fix
+
+## Scope
+
+This repository ships Markdown skill files, MDC rule files, Python snippets, and one Blender extension add-on template. The primary security concerns are:
+
+- **Snippets or templates demonstrating insecure patterns** (executing arbitrary code from `.blend` files, loading remote scripts without validation, leaking filesystem paths into logs).
+- **The extension-addon template declaring over-broad permissions** in `blender_manifest.toml` (e.g. `network`, `files`, `clipboard`, `camera`) without a documented justification.
+- **Skills recommending insecure practices** (running `eval()` on driver expressions from untrusted sources, disabling Blender's auto-execute-script protection in headless workflows, embedding credentials in `.blend` custom properties).
+- **Headless batch scripts** that pass user-controlled input to `subprocess` or `os.system` without sanitization.
+
+Issues with the Blender Python API itself (`bpy`, `bmesh`, `bpy_extras`) belong upstream at https://projects.blender.org and are out of scope here.
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.1.x   | Yes       |
+| < 0.1.0 | No        |
+
+## Response Timeline
+
+We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 7 days for confirmed issues.