chore(governance): add repo guardrails

Author: xiaojiou176

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Default maintainer ownership.
+
+* @xiaojiou176

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,31 @@
+---
+name: Bug report
+about: Report a reproducible repository bug
+title: "[bug] "
+labels: bug
+assignees: ""
+---
+
+## Summary
+
+Describe the bug in one short paragraph.
+
+## Reproduction
+
+1. Exact command(s):
+2. Exact file/path(s):
+3. Expected result:
+4. Actual result:
+
+## Evidence
+
+- logs or terminal output
+- relevant report/artifact path
+- commit/branch or workspace context if relevant
+
+## Scope
+
+- [ ] This is a narrow bug fix request
+- [ ] This is not a broad feature request
+- [ ] I checked README/docs before filing
+- [ ] I included commands, paths, and evidence

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security report
+    url: https://github.com/xiaojiou176-open/CortexPilot-public/blob/main/SECURITY.md
+    about: Do not open a public issue for vulnerabilities; use SECURITY.md for the live GitHub advisory form path. A second verified fallback private channel is still a maintainer follow-up item, not a public issue workflow.
+  - name: Support guide
+    url: https://github.com/xiaojiou176-open/CortexPilot-public/blob/main/SUPPORT.md
+    about: Use SUPPORT.md for public bugs, docs fixes, and usage questions before opening an issue.

.github/ISSUE_TEMPLATE/docs_drift.md

@@ -0,0 +1,23 @@
+---
+name: Docs drift
+about: Report factual drift between docs and implementation
+title: "[docs-drift] "
+labels: documentation
+assignees: ""
+---
+
+## Drift Summary
+
+What fact is wrong, stale, or duplicated?
+
+## Source Of Truth
+
+Which file, command, or generated artifact should be treated as authoritative?
+
+## Affected Docs
+
+List the path(s) that currently drift.
+
+## Evidence
+
+Provide the command output, file path, or generated artifact that proves the drift.

.github/ci/high_risk_paths.txt

@@ -0,0 +1,32 @@
+# High-risk path rules for PR full-ci escalation.
+# One shell-glob pattern per line. Supports ** and * style matching in bash [[ ]].
+
+# CI/workflow/policy surfaces
+.github/workflows/**
+policies/**
+tooling/registry.json
+
+# Core orchestrator runtime and dependency lock surfaces
+apps/orchestrator/src/**
+apps/orchestrator/pyproject.toml
+apps/orchestrator/requirements.txt
+apps/orchestrator/uv.lock
+
+# Dashboard/desktop runtime surfaces
+apps/dashboard/app/**
+apps/dashboard/components/**
+apps/dashboard/lib/**
+apps/desktop/src/**
+apps/desktop/src-tauri/src/**
+
+# Env governance SSOT
+configs/env.registry.json
+configs/env_tiers.json
+
+# CI entry scripts / hard gates
+scripts/ci.sh
+scripts/test.sh
+scripts/bootstrap.sh
+scripts/pre_commit_lint_gate.sh
+scripts/pre_commit_quality_gate.sh
+scripts/check_env_governance.py

.github/codeql/codeql-config.yml

@@ -0,0 +1,8 @@
+name: cortexpilot-codeql
+
+paths-ignore:
+  - .runtime-cache/**
+  - apps/desktop/src-tauri/target/**
+  - apps/dashboard/.next/**
+  - apps/dashboard/node_modules/**
+  - apps/desktop/node_modules/**

.github/dependabot.yml

@@ -0,0 +1,44 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "npm"
+    directory: "/apps/dashboard"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "npm"
+    directory: "/apps/desktop"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "pip"
+    directory: "/apps/orchestrator"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "cargo"
+    directory: "/apps/desktop/src-tauri"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7

.github/dependency-review-config.yml

@@ -0,0 +1,3 @@
+fail-on-severity: high
+license-check: true
+warn-only: false

.github/pull_request_template.md

@@ -0,0 +1,30 @@
+## Summary
+
+- what changed
+- why it changed
+
+## Verification
+
+- exact command(s) run
+- result(s)
+
+## Docs / Policy Impact
+
+- docs updated: yes/no
+- env registry updated if needed: yes/no
+- runtime/output policy updated if needed: yes/no
+- public-boundary docs updated if positioning, support, privacy, rights, or third-party claims changed: yes/no
+- security reporting docs updated if the vulnerability intake path or fallback guidance changed: yes/no
+
+## Submission Terms
+
+- [ ] I confirm I have the right to submit this contribution
+- [ ] I confirm this contribution does not violate third-party rights, employer obligations, or confidentiality duties
+- [ ] I agree that this contribution is submitted under the repository license
+- [ ] I did not include runtime output, secrets, or unrelated cleanup
+
+## Risks
+
+- unresolved risks
+- follow-up items if any
+- if this change affects vulnerability intake or private disclosure handling, note whether a maintainer follow-up is still required before calling the security surface closed

.github/workflows/changed-scope-quality-weekly.yml

@@ -0,0 +1,132 @@
+name: changed-scope-quality-weekly
+
+on:
+  schedule:
+    - cron: '45 3 * * 1'
+  workflow_dispatch:
+    inputs:
+      feedback_jsonl_path:
+        description: 'Custom feedback JSONL path (optional)'
+        required: false
+        type: string
+        default: ''
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'scripts/report_changed_scope_quality.py'
+      - 'configs/changed_scope/rule_tuning.json'
+      - 'tests/fixtures/changed_scope/changed-scope-feedback.schema.json'
+      - 'tests/fixtures/changed_scope/changed-scope-feedback.sample.jsonl'
+      - '.github/workflows/changed-scope-quality-weekly.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  changed-scope-quality:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      actions: write
+    steps:
+      - name: Initialize Runner Tool Cache Env
+        run: |
+          echo "AGENT_TOOLSDIRECTORY=${RUNNER_TEMP}/hostedtoolcache-${GITHUB_JOB}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" >> "${GITHUB_ENV}"
+          echo "RUNNER_TOOL_CACHE=${RUNNER_TEMP}/hostedtoolcache-${GITHUB_JOB}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" >> "${GITHUB_ENV}"
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          clean: true
+
+      - name: Prepare input
+        id: prep
+        env:
+          CUSTOM_INPUT: ${{ github.event.inputs.feedback_jsonl_path || '' }}
+        run: |
+          set -euo pipefail
+          mkdir -p .runtime-cache/test_output/changed_scope_quality/input
+          custom_input="${CUSTOM_INPUT}"
+          default_input=".runtime-cache/test_output/changed_scope/feedback.jsonl"
+          input_path="${default_input}"
+          if [[ -n "${custom_input}" ]]; then
+            input_path="${custom_input}"
+          fi
+          if [[ ! -f "${input_path}" ]]; then
+            input_path=".runtime-cache/test_output/changed_scope_quality/input/feedback.sample.jsonl"
+            cp tests/fixtures/changed_scope/changed-scope-feedback.sample.jsonl "${input_path}"
+            echo "[changed-scope-quality] feedback input missing, fallback to sample dataset"
+            sample_fallback_used="1"
+          else
+            sample_fallback_used="0"
+          fi
+          {
+            echo "sample_fallback_used=${sample_fallback_used}"
+            echo "input_path=${input_path}"
+          } >> "${GITHUB_OUTPUT}"
+
+      - name: Generate changed-scope quality report via docker_ci lane
+        env:
+          INPUT_PATH: ${{ steps.prep.outputs.input_path }}
+        run: |
+          set -euo pipefail
+          bash scripts/docker_ci.sh lane changed-scope-quality \
+            --input-jsonl "${INPUT_PATH}" \
+            --output-dir ".runtime-cache/test_output/changed_scope_quality" \
+            --base-config "configs/changed_scope/rule_tuning.json"
+
+      - name: Publish summary
+        if: always()
+        env:
+          RUN_ID: ${{ github.run_id }}
+          INPUT_PATH: ${{ steps.prep.outputs.input_path }}
+          SAMPLE_FALLBACK_USED: ${{ steps.prep.outputs.sample_fallback_used }}
+        run: |
+          set -euo pipefail
+          latest_week="$(find .runtime-cache/test_output/changed_scope_quality -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | sort | tail -n 1)"
+          summary_md=".runtime-cache/test_output/changed_scope_quality/${latest_week}/changed_scope_quality.summary.md"
+          if [[ -f "${summary_md}" ]]; then
+            {
+              echo "## changed-scope-quality-weekly"
+              echo "- run_id: ${RUN_ID}"
+              echo "- input: \`${INPUT_PATH}\`"
+              echo "- sample_fallback_used: \`${SAMPLE_FALLBACK_USED}\`"
+              echo ""
+              cat "${summary_md}"
+            } >> "${GITHUB_STEP_SUMMARY}"
+          fi
+
+      - name: Emit truth-mode marker
+        if: always()
+        env:
+          SAMPLE_FALLBACK_USED: ${{ steps.prep.outputs.sample_fallback_used }}
+        run: |
+          set -euo pipefail
+          mkdir -p .runtime-cache/test_output/changed_scope_quality/meta
+          if [[ "${SAMPLE_FALLBACK_USED}" == "1" ]]; then
+            sample_fallback_used=true
+          else
+            sample_fallback_used=false
+          fi
+          cat > .runtime-cache/test_output/changed_scope_quality/meta/truth_status.json <<EOF
+          {
+            "report_type": "cortexpilot_changed_scope_truth_status",
+            "sample_fallback_used": ${sample_fallback_used},
+            "analytics_only": true,
+            "blocking_quality_gate": false,
+            "release_truth_eligible": false
+          }
+          EOF
+
+      - name: Upload changed-scope quality artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: changed-scope-quality-weekly-${{ github.run_id }}
+          retention-days: 14
+          if-no-files-found: warn
+          path: |
+            .runtime-cache/test_output/changed_scope_quality/**