Open-Source Project's 'v1.0' Blocked: Missing License, Active XSS Exploit in UI

A critical security and legal gap is blocking the public release of an open-source project. The project currently has no license, rendering its code legally "all rights reserved" and unusable by the community. More urgently, a known cross-site scripting (XSS) vulnerability in the user interface's markdown preview component is actively exploitable. These foundational failures are labeled as P0—critical and blocking—and must be resolved before any v1.0 release can proceed.

The project's readiness checklist reveals a stark absence of basic open-source infrastructure. Beyond the missing MIT license, there is no vulnerability disclosure policy (SECURITY.md), no contribution guidelines (CONTRIBUTING.md), and no code of conduct (CODE_OF_CONDUCT.md). The specific technical flaw is an XSS vulnerability in the `MarkdownPreview` component, where the `entity-editor` fails to sanitize HTML input, creating an immediate security risk for any user.

This situation signals a project at a critical juncture, where its credibility and security posture are non-existent. The lack of a license and an active exploit directly undermines public adoption and trust. The planned fixes and policy implementations—including adding dependency scanning and SBOM generation to CI/CD—are now urgent prerequisites, not optional enhancements. The project's ability to launch hinges on rapidly transforming from a private codebase with critical flaws into a secure, legally open community project.