chore(config): governance and config foundation (#292)

* chore(config): governance and config foundation (PR #272 split 1/6)

Add repository governance and configuration files:
- CODEOWNERS: review authority model
- ISSUE_TEMPLATE: Copilot task template
- PULL_REQUEST_TEMPLATE: comprehensive review checklist
- .env.example: environment variable documentation
- .tool-versions: asdf/mise compatibility (Node 20, Python 3.12)
- .gitignore: expanded coverage (build, test, Python, tmp)
- .markdownlint.json: add MD009 trailing whitespace rule
- VERSION: 0.1.0

This is PR 1 of 6 from the PR #272 decomposition plan.
Dependency chain: PR-1 → PR-2 → PR-3 → PR-4/5/6 (parallel)

* chore(config): remove fork-specific CODEOWNERS from upstream PR

CODEOWNERS references @alfraido86-jpg (fork owner). Submitting this to
upstream would override @affaan-m's review authority. CODEOWNERS belongs
in the fork only, not in upstream contributions.

Ref: SAM finding F9 (run-048 audit)

* chore: address CodeRabbit review feedback on PR #292

- Scope markdownlint config to repo files (globs pattern)
- Add pre-commit hook checkbox to PR template

Ref: CodeRabbit review on PR #292

* fix(config): address CodeRabbit nitpicks N2 and N3

N2: Move pre-commit hooks checkbox higher in security checklist.
N3: Replace global MD009 disable with scoped config (br_spaces: 2).

* fix(config): use recursive glob for node_modules exclusion (N4)

.env.example

@@ -0,0 +1,38 @@
+# .env.example — Canonical list of required environment variables
+# Copy this file to .env and fill in real values.
+# NEVER commit .env to version control.
+#
+# Usage:
+#   cp .env.example .env
+#   # Then edit .env with your actual values
+
+# ─── Anthropic ────────────────────────────────────────────────────────────────
+# Your Anthropic API key (https://console.anthropic.com)
+ANTHROPIC_API_KEY=
+
+# ─── GitHub ───────────────────────────────────────────────────────────────────
+# GitHub personal access token (for MCP GitHub server)
+GITHUB_TOKEN=
+
+# ─── Optional: Docker platform override ──────────────────────────────────────
+# DOCKER_PLATFORM=linux/arm64  # or linux/amd64 for Intel Macs / CI
+
+# ─── Optional: Package manager override ──────────────────────────────────────
+# CLAUDE_CODE_PACKAGE_MANAGER=npm  # npm | pnpm | yarn | bun
+
+# ─── Session & Security ─────────────────────────────────────────────────────
+# GitHub username (used by CI scripts for credential context)
+GITHUB_USER="your-github-username"
+
+# Primary development branch for CI diff-based checks
+DEFAULT_BASE_BRANCH="main"
+
+# Path to session-start.sh (used by test/test_session_start.sh)
+SESSION_SCRIPT="./session-start.sh"
+
+# Path to generated MCP configuration file
+CONFIG_FILE="./mcp-config.json"
+
+# ─── Optional: Verbose Logging ──────────────────────────────────────────────
+# Enable verbose logging for session and CI scripts
+ENABLE_VERBOSE_LOGGING="false"

.github/ISSUE_TEMPLATE/copilot-task.md

@@ -0,0 +1,17 @@
+---
+name: Copilot Task
+about: Assign a coding task to GitHub Copilot agent
+title: "[Copilot] "
+labels: copilot
+assignees: copilot
+---
+
+## Task Description
+<!-- What should Copilot do? Be specific. -->
+
+## Acceptance Criteria
+- [ ] ...
+- [ ] ...
+
+## Context
+<!-- Any relevant files, APIs, or constraints Copilot should know about -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,5 +1,14 @@
-## Description
-<!-- Brief description of changes -->
+## What Changed
+<!-- Describe the specific changes made in this PR -->
+
+## Why This Change
+<!-- Explain the motivation and context for this change -->
+
+## Testing Done
+<!-- Describe the testing you performed to validate your changes -->
+- [ ] Manual testing completed
+- [ ] Automated tests pass locally (`node tests/run-all.js`)
+- [ ] Edge cases considered and tested
 
 ## Type of Change
 - [ ] `fix:` Bug fix
@@ -10,8 +19,15 @@
 - [ ] `chore:` Maintenance/tooling
 - [ ] `ci:` CI/CD changes
 
-## Checklist
-- [ ] Tests pass locally (`node tests/run-all.js`)
-- [ ] Validation scripts pass
+## Security & Quality Checklist
+- [ ] No secrets or API keys committed (ghp_, sk-, AKIA, xoxb, xoxp patterns checked)
+- [ ] JSON files validate cleanly
+- [ ] Shell scripts pass shellcheck (if applicable)
+- [ ] Pre-commit hooks pass locally (if configured)
+- [ ] No sensitive data exposed in logs or output
 - [ ] Follows conventional commits format
+
+## Documentation
 - [ ] Updated relevant documentation
+- [ ] Added comments for complex logic
+- [ ] README updated (if needed)

.gitignore

@@ -2,28 +2,61 @@
 .env
 .env.local
 .env.*.local
+.env.development
+.env.test
+.env.production
 
-# API keys
+# API keys and secrets
 *.key
 *.pem
 secrets.json
+config/secrets.yml
+.secrets
 
 # OS files
 .DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
 Thumbs.db
+Desktop.ini
 
 # Editor files
 .idea/
 .vscode/
 *.swp
 *.swo
+*~
+.project
+.classpath
+.settings/
+*.sublime-project
+*.sublime-workspace
 
 # Node
 node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.pnpm-debug.log*
+.yarn/
+lerna-debug.log*
 
-# Build output
+# Build outputs
 dist/
+build/
+*.tsbuildinfo
+.cache/
+
+# Test coverage
 coverage/
+.nyc_output/
+
+# Logs
+logs/
+*.log
 
 # Python
 __pycache__/
@@ -42,3 +75,15 @@ examples/sessions/*.tmp
 # Local drafts
 marketing/
 .dmux/
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+*.bak
+*.backup
+
+# Bootstrap pipeline outputs
+# Generated lock files in tool subdirectories
+.opencode/package-lock.json
+.opencode/node_modules/

.markdownlint.json

@@ -1,5 +1,7 @@
 {
+  "globs": ["**/*.md", "!**/node_modules/**"],
   "default": true,
+  "MD009": { "br_spaces": 2, "strict": false },
   "MD013": false,
   "MD033": false,
   "MD041": false,

.tool-versions

@@ -0,0 +1,6 @@
+# .tool-versions — Tool version pins for asdf (https://asdf-vm.com)
+# Install asdf, then run: asdf install
+# These versions are also compatible with mise (https://mise.jdx.dev).
+
+nodejs 20.19.0
+python 3.12.8

VERSION

@@ -0,0 +1 @@
+0.1.0