add release artifacts: license, CI, tests, and policy docs

- MIT LICENSE
- CHANGELOG.md (CalVer, first entry 2026.04.15)
- CODE_OF_CONDUCT, CONTRIBUTING, SECURITY, SUPPORT policies
- docs/release.md covering preflight, tagging, rollback
- GitHub Actions CI running shell syntax, shellcheck,
  desktop-file-validate, script tests, and nix flake check
- tests/ harness with activate-path and preflight checks;
  preflight test stubs `id` via PATH so it cannot launch real
  Steam on a developer machine where /opt/steam already exists

.github/workflows/ci.yml

@@ -0,0 +1,41 @@
+name: ci
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  shell-and-release-guards:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install shell tooling
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck desktop-file-utils
+
+      - name: Bash syntax check
+        run: bash -n scripts/*.sh tests/*.sh
+
+      - name: ShellCheck
+        run: shellcheck scripts/*.sh tests/*.sh
+
+      - name: Desktop entry validation
+        run: desktop-file-validate desktop/steam.desktop
+
+      - name: Script tests
+        run: tests/run.sh
+
+  nix-flake-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+
+      - name: Flake check
+        run: nix flake check --no-build --no-write-lock-file

CHANGELOG.md

@@ -0,0 +1,20 @@
+# Changelog
+
+All notable changes are documented in this file.
+
+## 2026.04.15
+
+### Added
+- Bubblewrap-based Steam launcher with per-user `compatdata` overlay isolation.
+- Activation, uninstall, and add-user helper scripts.
+- Desktop launcher override routing Steam startup through `steam-shared`.
+- Permission repair watcher (`steam-fix-perms.path` + `steam-fix-perms.service`).
+- Nix flake packages for `activate`, `uninstall`, and `add-user`.
+- Basic shell test harness for preflight behavior and release guard checks.
+
+### Changed
+- Activation output now reports the correct desktop file path: `/usr/local/share/applications/steam.desktop`.
+
+### Notes
+- First public product release.
+- Linux-only.

CODE_OF_CONDUCT.md

@@ -0,0 +1,15 @@
+# Code of Conduct
+
+## Our Standard
+
+Contributors keep communication respectful, direct, and constructive.
+Harassment, discrimination, and hostile behavior are not accepted.
+
+## Enforcement
+
+Project maintainers review reports and take action based on impact and severity.
+Actions can include warnings, removal of content, temporary bans, or permanent bans.
+
+## Reporting
+
+Open a private security advisory or contact maintainers through GitHub with the relevant context.

CONTRIBUTING.md

@@ -0,0 +1,24 @@
+# Contributing
+
+## Development Workflow
+
+1. Create a branch from `main`.
+2. Implement a focused change.
+3. Run local verification.
+4. Open a pull request.
+
+## Required Local Checks
+
+```bash
+shellcheck scripts/*.sh tests/*.sh
+bash -n scripts/*.sh tests/*.sh
+desktop-file-validate desktop/steam.desktop
+tests/run.sh
+XDG_CACHE_HOME=/tmp nix flake check --no-build --no-write-lock-file
+```
+
+## Scope Rules
+
+- Keep changes minimal and focused.
+- Add or update tests for behavior changes.
+- Do not commit secrets.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Felix Foertsch
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| --- | --- |
+| 2026.04.15 | yes |
+
+## Reporting a Vulnerability
+
+Report vulnerabilities by opening a private security advisory on GitHub.
+If that is not available, open an issue marked `security` without exploit details and request a private contact channel.
+
+Include:
+- affected version
+- Linux distribution and kernel version
+- Steam installation type (native or Flatpak)
+- reproduction steps
+- impact summary
+
+Do not publish working exploit details before a fix is available.

SUPPORT.md

@@ -0,0 +1,16 @@
+# Support
+
+## Where to Ask for Help
+
+Use GitHub Issues for installation help, troubleshooting, and feature requests.
+
+Include:
+- distribution and kernel version
+- native Steam or Flatpak Steam
+- command output and exact error text
+- steps already tried
+
+## Scope
+
+This project supports Linux shared-library usage with `/opt/steam` and a `steamshare` group.
+Other operating systems are out of scope.

docs/release.md

@@ -0,0 +1,47 @@
+# Release Guide
+
+This guide defines the repeatable release procedure for GitHub product releases.
+
+## Preflight
+
+Run all checks locally from the repository root:
+
+```bash
+shellcheck scripts/*.sh tests/*.sh
+bash -n scripts/*.sh tests/*.sh
+desktop-file-validate desktop/steam.desktop
+tests/run.sh
+XDG_CACHE_HOME=/tmp nix flake check --no-build --no-write-lock-file
+```
+
+## Versioning
+
+Use CalVer tags: `YYYY.MM.DD`.
+If multiple releases happen on the same day, append `.1`, `.2`, and so on.
+
+## Release Steps
+
+1. Update `CHANGELOG.md` with the exact release version and notes.
+2. Push all release files to `main`.
+3. Create an annotated tag.
+4. Push the tag.
+5. Create a GitHub Release from that tag and copy release notes from `CHANGELOG.md`.
+
+Example:
+
+```bash
+git tag -a 2026.04.15 -m "release 2026.04.15"
+git push origin 2026.04.15
+```
+
+## Rollback
+
+1. Revert the problematic commit range on `main`.
+2. Cut a new patch release tag for the rollback build (for example `2026.04.15.1`).
+3. If a system needs cleanup after failed deployment, run:
+
+```bash
+nix run .#uninstall
+```
+
+Then re-activate with the corrected release once available.

tests/activate-desktop-path.test.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SCRIPT="$ROOT_DIR/scripts/activate.sh"
+
+if ! grep -Fq 'Desktop file:    /usr/local/share/applications/steam.desktop' "$SCRIPT"; then
+	echo "activate summary should reference /usr/local/share/applications/steam.desktop"
+	exit 1
+fi

tests/run.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+for test_file in "$SCRIPT_DIR"/*.test.sh; do
+	echo "==> $(basename "$test_file")"
+	bash "$test_file"
+done
+
+echo "all tests passed"

tests/steam-shared-preflight.test.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Verify steam-shared preflight fails cleanly when the user is not in
+# the steamshare group. We force that condition by overriding `id` via
+# PATH so the test is deterministic regardless of the host environment.
+# Without this shim, a developer who is already in the steamshare group
+# and has /opt/steam activated would actually launch Steam from the test.
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SCRIPT="$ROOT_DIR/scripts/steam-shared.sh"
+
+TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+cat > "$TMP_DIR/id" <<'EOF'
+#!/usr/bin/env bash
+if [[ "${1:-}" == "-nG" ]]; then
+	echo "users"
+	exit 0
+fi
+exec /usr/bin/id "$@"
+EOF
+chmod +x "$TMP_DIR/id"
+
+set +e
+OUTPUT="$(PATH="$TMP_DIR:$PATH" HOME="$TMP_DIR" bash "$SCRIPT" 2>&1)"
+STATUS=$?
+set -e
+
+if [[ $STATUS -eq 0 ]]; then
+	echo "expected preflight failure, got success"
+	echo "output: $OUTPUT"
+	exit 1
+fi
+
+if [[ "$OUTPUT" == *"steam-shared: shared library not found at /opt/steam/steamapps/compatdata"* ]]; then
+	exit 0
+fi
+
+if [[ "$OUTPUT" == *"steam-shared: current user is not in the 'steamshare' group"* ]]; then
+	exit 0
+fi
+
+echo "expected preflight failure about missing shared path or missing group"
+echo "actual output: $OUTPUT"
+exit 1