feat: containerize + shared CI pipeline

.github/copilot-instructions.md

@@ -0,0 +1,33 @@
+# Copilot Instructions — seclab-taskflows
+
+## Project
+
+- **Name**: seclab-taskflows
+- **Organization**: AiFeatures (fork from GitHubSecurityLab)
+- **Enterprise**: iAiFy
+- **Description**: Security lab task flows and automation templates
+
+## Conventions
+
+- Use kebab-case for file and directory names
+- Use conventional commits (feat:, fix:, chore:, docs:, refactor:, test:)
+- All PRs require review before merge
+- Branch from main, merge back to main
+
+## Shared Infrastructure
+
+- Reusable workflows: Ai-road-4-You/enterprise-ci-cd@v1
+- Composite actions: Ai-road-4-You/github-actions@v1
+- Governance standards: Ai-road-4-You/governance
+
+## Quality Standards
+
+- Run lint and tests before submitting PRs
+- Keep dependencies updated via Dependabot
+- No hardcoded secrets — use GitHub Secrets or environment variables
+- Follow OWASP Top 10 security practices
+
+## AgentHub Integration
+- Skills: `.agents/skills/` in this repo links to shared AgentHub skills
+- 14 shared agents available
+- MCP: 12 servers (GitHub, Supabase, Playwright, MongoDB, Notion, HuggingFace, etc.)

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yml

@@ -2,39 +2,14 @@ name: Python CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 permissions:
   contents: read
 
 jobs:
-  test:
-    name: Run Tests ${{ matrix.python-version }} on ${{ matrix.os }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
-        python-version: ['3.11', '3.13'] # the one we have in the Codespace + the latest supported one by PyO3.
-      fail-fast: false  # Continue testing other version(s) if one fails
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v5
-
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
-      with:
-        python-version: ${{ matrix.python-version }}
-        cache: 'pip'
-
-
-    - name: Install Hatch
-      run: pip install --upgrade hatch
-
-    - name: Run static analysis
-      run: hatch fmt --linter --check
-
-    - name: Run tests
-      run: hatch test --python ${{ matrix.python-version }} --cover --randomize --parallel --retries 2 --retry-delay 1
+  ci:
+    uses: Ai-road-4-You/enterprise-ci-cd/.github/workflows/ci-python.yml@v1
+    secrets: inherit

.github/workflows/docker.yml

@@ -0,0 +1,18 @@
+name: Docker
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  docker:
+    uses: Ai-road-4-You/enterprise-ci-cd/.github/workflows/ci-docker.yml@v1
+    with:
+      tags-override: latest
+    secrets: inherit

.github/workflows/release.yml

@@ -0,0 +1,14 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    uses: Ai-road-4-You/enterprise-ci-cd/.github/workflows/release.yml@v1
+    secrets: inherit

.github/workflows/security-scan.yml

@@ -0,0 +1,18 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  security:
+    uses: Ai-road-4-You/enterprise-ci-cd/.github/workflows/security-scan.yml@v1
+    secrets: inherit

.gitignore

@@ -1,7 +1,47 @@
-*.log
+# =============================================================================
+# Cross-language / cross-platform ignore rules
+# =============================================================================
+
+# OS junk
+.DS_Store
+Thumbs.db
+
+# Editor / IDE temp files
+*.bak
+*.swp
+*.swo
+.idea/
+.vscode/
+*.sublime-workspace
+*.sublime-project
+
+# Node / JS / TS
+node_modules/
+.next/
+.nuxt/
+
+# Terraform
+.terraform/
+*.tfstate
+*.tfstate.*
+
+# Generic build / coverage artifacts
+coverage/
+
+# Environment files (broad glob)
+.env*
+!.env.example
+
+# Direnv
 .direnv
 .envrc
 
+# =============================================================================
+# Python-specific (from github/gitignore)
+# =============================================================================
+
+*.log
+
 # https://github.com/github/gitignore/blob/main/Python.gitignore
 # Byte-compiled / optimized / DLL files
 __pycache__/
@@ -133,9 +173,8 @@ celerybeat.pid
 # SageMath parsed files
 *.sage.py
 
-# Environments
-.env
-.venv
+# Environments (`.env*` covered by cross-language section above)
+.venv/
 env/
 venv/
 ENV/

AGENTS.md

@@ -0,0 +1,47 @@
+# AI Agent Instructions
+
+## Repository: seclab-taskflows
+
+- **Organization**: AiFeatures (fork from GitHubSecurityLab)
+- **Enterprise**: iAiFy
+
+## Shared Infrastructure
+
+| Resource | Reference |
+|---|---|
+| Reusable workflows | `Ai-road-4-You/enterprise-ci-cd@v1` |
+| Composite actions | `Ai-road-4-You/github-actions@v1` |
+| Governance docs | `Ai-road-4-You/governance` |
+| Repo templates | `Ai-road-4-You/repo-templates` |
+
+## Conventions
+
+1. Use **conventional commits** (`feat:`, `fix:`, `chore:`, `docs:`, `refactor:`, `test:`)
+2. Create **feature branches** for all changes
+3. Never push directly to `main`
+4. Run tests before submitting PR
+5. Keep dependencies updated via Dependabot
+6. All file names in **kebab-case**
+
+## Quality Gates
+
+Before merging any PR:
+
+- [ ] Lint passes
+- [ ] Tests pass (if test suite exists)
+- [ ] No new security vulnerabilities
+- [ ] PR has a meaningful description
+- [ ] Conventional commit messages used
+
+## Branch Strategy
+
+- `main` — Production-ready, protected
+- `feature/*` — New features
+- `fix/*` — Bug fixes
+- `chore/*` — Maintenance
+
+## Code Review
+
+- CODEOWNERS auto-assigns reviewers
+- Self-merge allowed for single-developer workflow
+- All changes must go through PR (org ruleset enforced)

CLAUDE.md

@@ -0,0 +1,22 @@
+# seclab-taskflows
+
+## Overview
+
+Security lab task flows and automation templates.
+
+## Project Structure
+
+- GitHub Security Lab workflows and task definitions
+
+## Conventions
+
+- Use kebab-case for file and directory names
+- Use conventional commits
+- Follow security best practices
+
+## AgentHub
+- Central hub: `~/AgentHub/`
+- Skills: `.agents/skills/` (symlinked to AgentHub shared skills)
+- MCP: 12 servers synced across all agents
+- Agents: 14 shared agents available
+- Hooks: Safety, notification, and logging hooks

Dockerfile

@@ -0,0 +1,28 @@
+FROM python:3.12-slim AS builder
+
+WORKDIR /build
+
+COPY pyproject.toml README.md ./
+COPY src/ ./src/
+
+RUN pip install --no-cache-dir --prefix=/install .
+
+# -----------------------------------------------------------
+FROM python:3.12-slim
+
+LABEL org.opencontainers.image.source="https://github.com/AiFeatures/seclab-taskflows" \
+      org.opencontainers.image.description="Security lab task flows and automation templates" \
+      org.opencontainers.image.licenses="MIT"
+
+COPY --from=builder /install /usr/local
+
+WORKDIR /app
+COPY src/ ./src/
+
+RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
+USER appuser
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD ["python", "-c", "import seclab_taskflows; print('ok')"]
+
+ENTRYPOINT ["python", "-m", "seclab_taskflows"]