gamaware
diff --git a/‎.claude/hooks/post-edit.sh‎
Lines changed: 23 additions & 0 deletions b/‎.claude/hooks/post-edit.sh‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.claude/settings.json‎
Lines changed: 15 additions & 0 deletions b/‎.claude/settings.json‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.coderabbit.yaml‎
Lines changed: 35 additions & 0 deletions b/‎.coderabbit.yaml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/settings-bug.md‎
Lines changed: 22 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/settings-bug.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/settings-request.md‎
Lines changed: 18 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/settings-request.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 19 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/copilot-instructions.md‎
Lines changed: 14 additions & 0 deletions b/‎.github/copilot-instructions.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 7 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/workflows/quality-checks.yml‎
Lines changed: 99 additions & 0 deletions b/‎.github/workflows/quality-checks.yml‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎.github/workflows/security.yml‎
Lines changed: 37 additions & 0 deletions b/‎.github/workflows/security.yml‎
Lines changed: 37 additions & 0 deletions
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Post-edit hook: auto-format shell scripts and markdown after Edit/Write.
+# Called by Claude Code via .claude/settings.json PostToolUse hook.
+
+FILE="$TOOL_INPUT_FILE_PATH"
+
+case "$FILE" in
+    *.sh)
+        if command -v shellharden > /dev/null 2>&1; then
+            shellharden --replace "$FILE" 2>/dev/null || true
+        fi
+        if [ -f "$FILE" ] && head -1 "$FILE" | grep -q '^#!'; then
+            chmod +x "$FILE"
+        fi
+        ;;
+    *.md)
+        if command -v markdownlint > /dev/null 2>&1; then
+            markdownlint --fix "$FILE" 2>/dev/null || true
+        fi
+        ;;
+esac
@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/post-edit.sh"
+          }
+        ]
+      }
+    ]
+  }
+}
@@ -0,0 +1,35 @@
+reviews:
+  auto_review:
+    enabled: true
+  path_instructions:
+    - path: "scripts/**/*.sh"
+      instructions: |
+        Review for:
+        - shellcheck and shellharden compliance
+        - Proper quoting of all variables
+        - Error handling (set -euo pipefail)
+        - GitHub API usage best practices
+        - No hardcoded tokens or credentials
+    - path: "config/**/*.json"
+      instructions: |
+        Review for:
+        - Valid JSON structure
+        - Settings match documented baseline
+        - Override values are justified
+    - path: ".github/workflows/**"
+      instructions: |
+        Review for:
+        - Pinned action versions (SHA references)
+        - Least-privilege permissions
+        - No credential leaks in logs
+        - Proper secret usage
+    - path: "**/*.md"
+      instructions: |
+        Review for:
+        - Clarity and accuracy
+        - Markdown lint compliance (120 char lines)
+        - No hardcoded values
+  path_filters:
+    - "!**/*.png"
+    - "!**/*.gif"
+    - "!**/*.jpg"
@@ -0,0 +1,22 @@
+---
+name: Settings Bug
+about: Report a settings sync issue
+title: ""
+labels: bug
+---
+
+## Repository affected
+
+<!-- Which repo has the wrong settings? -->
+
+## Expected setting
+
+<!-- What should the setting be? -->
+
+## Actual setting
+
+<!-- What is the setting currently? -->
+
+## Additional context
+
+<!-- Any relevant logs or screenshots -->
@@ -0,0 +1,18 @@
+---
+name: Settings Request
+about: Propose a new setting to enforce
+title: ""
+labels: enhancement
+---
+
+## Setting to add
+
+<!-- Describe the setting -->
+
+## Why
+
+<!-- Why should this be enforced across all repos? -->
+
+## Scope
+
+<!-- All repos, or specific repos only? -->
@@ -0,0 +1,19 @@
+## What changed
+
+<!-- Brief description of the change -->
+
+## Type of change
+
+- [ ] Settings baseline update
+- [ ] Override configuration
+- [ ] Workflow improvement
+- [ ] Bug fix
+- [ ] Documentation
+
+## Checklist
+
+- [ ] JSON configs are valid (`jq empty config/*.json`)
+- [ ] Shell scripts pass `shellcheck`
+- [ ] Markdown passes `markdownlint`
+- [ ] Tested with `--dry-run` mode
+- [ ] Updated README if settings changed
@@ -0,0 +1,14 @@
+Review priorities for this repository:
+
+1. Shell script quality: shellcheck and shellharden compliance, proper
+   quoting, error handling (set -euo pipefail), no hardcoded tokens
+2. GitHub API usage: correct endpoints, proper error handling, rate
+   limit awareness, least-privilege token scopes
+3. JSON configuration: valid structure, settings match documented
+   baseline, overrides are justified
+4. Security: no credential leaks, secrets used properly, tokens never
+   logged
+5. Workflow security: pinned action versions (SHA references), minimal
+   permissions, no script injection
+6. Markdown quality: 120 char line limit, fenced code blocks, accurate
+   documentation
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
@@ -0,0 +1,99 @@
+name: Quality Checks
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  markdown-lint:
+    name: Markdown Linting
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Lint markdown
+        uses: DavidAnson/markdownlint-cli2-action@db4c2f7b1e4a6de4660458dd8d547f94deaac667 # v22.0.0
+
+  yaml-lint:
+    name: YAML Validation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Lint YAML
+        uses: ibiqlik/action-yamllint@2576f72e4b4e5aef56e60fc8a24fa17e25be1fef # v3.1.1
+        with:
+          config_file: .yamllint.yml
+
+  shell-check:
+    name: Shell Script Validation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+
+  structure:
+    name: Validate Repository Structure
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Check required files
+        run: |
+          MISSING=0
+          for file in LICENSE README.md .gitignore CODEOWNERS CONTRIBUTING.md \
+                      SECURITY.md CLAUDE.md .pre-commit-config.yaml \
+                      .github/dependabot.yml config/baseline.json \
+                      config/overrides.json; do
+            if [ ! -f "$file" ]; then
+              echo "MISSING: $file"
+              MISSING=$((MISSING + 1))
+            else
+              echo "OK: $file"
+            fi
+          done
+          if [ "$MISSING" -gt 0 ]; then
+            echo "ERROR: $MISSING required files are missing"
+            exit 1
+          fi
+
+      - name: Validate JSON configs
+        run: |
+          for file in config/baseline.json config/overrides.json; do
+            if ! jq empty "$file" 2>/dev/null; then
+              echo "ERROR: Invalid JSON in $file"
+              exit 1
+            else
+              echo "OK: $file is valid JSON"
+            fi
+          done
+
+  actions-security:
+    name: Actions Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install zizmor
+        run: |
+          ZIZMOR_VERSION="1.5.0"
+          curl -sL "https://github.com/woodruffw/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz" -o /tmp/zizmor.tar.gz
+          mkdir -p /tmp/zizmor-extract
+          tar -xzf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract
+          sudo mv /tmp/zizmor-extract/zizmor /usr/local/bin/zizmor
+          chmod +x /usr/local/bin/zizmor
+
+      - name: Run zizmor
+        run: zizmor --config zizmor.yml .github/workflows/
@@ -0,0 +1,37 @@
+name: Security Scanning
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Semgrep
+        uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1.0.0
+        with:
+          config: auto
+
+      - name: Run Trivy
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947e7f3b01483832965 # v0.31.0
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy SARIF
+        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif