diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..0bc18ef
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,41 @@
+name: ci
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  shell-and-release-guards:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install shell tooling
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck desktop-file-utils
+
+      - name: Bash syntax check
+        run: bash -n scripts/*.sh tests/*.sh
+
+      - name: ShellCheck
+        run: shellcheck scripts/*.sh tests/*.sh
+
+      - name: Desktop entry validation
+        run: desktop-file-validate desktop/steam.desktop
+
+      - name: Script tests
+        run: tests/run.sh
+
+  nix-flake-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+
+      - name: Flake check
+        run: nix flake check --no-build --no-write-lock-file
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..661f62d
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,20 @@
+# Changelog
+
+All notable changes are documented in this file.
+
+## 2026.04.15
+
+### Added
+- Bubblewrap-based Steam launcher with per-user `compatdata` overlay isolation.
+- Activation, uninstall, and add-user helper scripts.
+- Desktop launcher override routing Steam startup through `steam-shared`.
+- Permission repair watcher (`steam-fix-perms.path` + `steam-fix-perms.service`).
+- Nix flake packages for `activate`, `uninstall`, and `add-user`.
+- Basic shell test harness for preflight behavior and release guard checks.
+
+### Changed
+- Activation output now reports the correct desktop file path: `/usr/local/share/applications/steam.desktop`.
+
+### Notes
+- First public product release.
+- Linux-only.
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..b1209fc
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,15 @@
+# Code of Conduct
+
+## Our Standard
+
+Contributors keep communication respectful, direct, and constructive.
+Harassment, discrimination, and hostile behavior are not accepted.
+
+## Enforcement
+
+Project maintainers review reports and take action based on impact and severity.
+Actions can include warnings, removal of content, temporary bans, or permanent bans.
+
+## Reporting
+
+Open a private security advisory or contact maintainers through GitHub with the relevant context.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..185b28d
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,24 @@
+# Contributing
+
+## Development Workflow
+
+1. Create a branch from `main`.
+2. Implement a focused change.
+3. Run local verification.
+4. Open a pull request.
+
+## Required Local Checks
+
+```bash
+shellcheck scripts/*.sh tests/*.sh
+bash -n scripts/*.sh tests/*.sh
+desktop-file-validate desktop/steam.desktop
+tests/run.sh
+XDG_CACHE_HOME=/tmp nix flake check --no-build --no-write-lock-file
+```
+
+## Scope Rules
+
+- Keep changes minimal and focused.
+- Add or update tests for behavior changes.
+- Do not commit secrets.
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..2fae12e
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Felix Foertsch
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..c430db3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| --- | --- |
+| 2026.04.15 | yes |
+
+## Reporting a Vulnerability
+
+Report vulnerabilities by opening a private security advisory on GitHub.
+If that is not available, open an issue marked `security` without exploit details and request a private contact channel.
+
+Include:
+- affected version
+- Linux distribution and kernel version
+- Steam installation type (native or Flatpak)
+- reproduction steps
+- impact summary
+
+Do not publish working exploit details before a fix is available.
diff --git a/SUPPORT.md b/SUPPORT.md
new file mode 100644
index 0000000..2521d99
--- /dev/null
+++ b/SUPPORT.md
@@ -0,0 +1,16 @@
+# Support
+
+## Where to Ask for Help
+
+Use GitHub Issues for installation help, troubleshooting, and feature requests.
+
+Include:
+- distribution and kernel version
+- native Steam or Flatpak Steam
+- command output and exact error text
+- steps already tried
+
+## Scope
+
+This project supports Linux shared-library usage with `/opt/steam` and a `steamshare` group.
+Other operating systems are out of scope.
diff --git a/docs/release.md b/docs/release.md
new file mode 100644
index 0000000..ff935ef
--- /dev/null
+++ b/docs/release.md
@@ -0,0 +1,47 @@
+# Release Guide
+
+This guide defines the repeatable release procedure for GitHub product releases.
+
+## Preflight
+
+Run all checks locally from the repository root:
+
+```bash
+shellcheck scripts/*.sh tests/*.sh
+bash -n scripts/*.sh tests/*.sh
+desktop-file-validate desktop/steam.desktop
+tests/run.sh
+XDG_CACHE_HOME=/tmp nix flake check --no-build --no-write-lock-file
+```
+
+## Versioning
+
+Use CalVer tags: `YYYY.MM.DD`.
+If multiple releases happen on the same day, append `.1`, `.2`, and so on.
+
+## Release Steps
+
+1. Update `CHANGELOG.md` with the exact release version and notes.
+2. Push all release files to `main`.
+3. Create an annotated tag.
+4. Push the tag.
+5. Create a GitHub Release from that tag and copy release notes from `CHANGELOG.md`.
+
+Example:
+
+```bash
+git tag -a 2026.04.15 -m "release 2026.04.15"
+git push origin 2026.04.15
+```
+
+## Rollback
+
+1. Revert the problematic commit range on `main`.
+2. Cut a new patch release tag for the rollback build (for example `2026.04.15.1`).
+3. If a system needs cleanup after failed deployment, run:
+
+```bash
+nix run .#uninstall
+```
+
+Then re-activate with the corrected release once available.
diff --git a/tests/activate-desktop-path.test.sh b/tests/activate-desktop-path.test.sh
new file mode 100755
index 0000000..a5c5fb4
--- /dev/null
+++ b/tests/activate-desktop-path.test.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SCRIPT="$ROOT_DIR/scripts/activate.sh"
+
+if ! grep -Fq 'Desktop file:    /usr/local/share/applications/steam.desktop' "$SCRIPT"; then
+	echo "activate summary should reference /usr/local/share/applications/steam.desktop"
+	exit 1
+fi
diff --git a/tests/run.sh b/tests/run.sh
new file mode 100755
index 0000000..46664d0
--- /dev/null
+++ b/tests/run.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+for test_file in "$SCRIPT_DIR"/*.test.sh; do
+	echo "==> $(basename "$test_file")"
+	bash "$test_file"
+done
+
+echo "all tests passed"
diff --git a/tests/steam-shared-preflight.test.sh b/tests/steam-shared-preflight.test.sh
new file mode 100755
index 0000000..faaeff8
--- /dev/null
+++ b/tests/steam-shared-preflight.test.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Verify steam-shared preflight fails cleanly when the user is not in
+# the steamshare group. We force that condition by overriding `id` via
+# PATH so the test is deterministic regardless of the host environment.
+# Without this shim, a developer who is already in the steamshare group
+# and has /opt/steam activated would actually launch Steam from the test.
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SCRIPT="$ROOT_DIR/scripts/steam-shared.sh"
+
+TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+cat > "$TMP_DIR/id" <<'EOF'
+#!/usr/bin/env bash
+if [[ "${1:-}" == "-nG" ]]; then
+	echo "users"
+	exit 0
+fi
+exec /usr/bin/id "$@"
+EOF
+chmod +x "$TMP_DIR/id"
+
+set +e
+OUTPUT="$(PATH="$TMP_DIR:$PATH" HOME="$TMP_DIR" bash "$SCRIPT" 2>&1)"
+STATUS=$?
+set -e
+
+if [[ $STATUS -eq 0 ]]; then
+	echo "expected preflight failure, got success"
+	echo "output: $OUTPUT"
+	exit 1
+fi
+
+if [[ "$OUTPUT" == *"steam-shared: shared library not found at /opt/steam/steamapps/compatdata"* ]]; then
+	exit 0
+fi
+
+if [[ "$OUTPUT" == *"steam-shared: current user is not in the 'steamshare' group"* ]]; then
+	exit 0
+fi
+
+echo "expected preflight failure about missing shared path or missing group"
+echo "actual output: $OUTPUT"
+exit 1