feat: add architecture docs, runbooks, and Claude Code skills

- Add docs/architecture.md with system context and component overview
- Add docs/runbooks/ with 4 operational procedures (exclude repo,
  add setting, handle drift, onboard repo)
- Add 3 Claude Code skills: /audit, /add-repo-override, /exclude-repo
- Update README and CLAUDE.md with new structure

Author: gamaware

.claude/skills/add-repo-override/SKILL.md

@@ -0,0 +1,26 @@
+---
+name: add-repo-override
+description: Add a per-repo settings override to overrides.json
+user-invocable: true
+---
+
+# Add Repository Override
+
+Add a per-repo exception to `config/overrides.json`.
+
+## Arguments
+
+`$ARGUMENTS` should be in the format: `<repo-name> <setting-path> <value>`
+
+Examples:
+- `my-repo branch_protection.required_status_checks.contexts '["Build","Test"]'`
+- `my-repo repo_settings.has_wiki true`
+
+## Steps
+
+1. Read the current `config/overrides.json`
+2. Parse `$ARGUMENTS` to extract repo name, setting path, and value
+3. Add or update the override for the specified repo
+4. Validate the resulting JSON with `jq empty`
+5. Show the diff of what changed
+6. Remind the user to create a PR for the change

.claude/skills/audit/SKILL.md

@@ -0,0 +1,24 @@
+---
+name: audit
+description: Run a dry-run settings audit across all repositories
+user-invocable: true
+disable-model-invocation: true
+---
+
+# Audit Repository Settings
+
+Run a dry-run sync to check for drift without applying changes.
+
+## Steps
+
+1. Run the sync script in dry-run mode:
+
+```bash
+./scripts/sync-repo-settings.sh --dry-run
+```
+
+2. Display the report:
+
+```bash
+cat reports/sync-report.md
+```

.claude/skills/exclude-repo/SKILL.md

@@ -0,0 +1,21 @@
+---
+name: exclude-repo
+description: Exclude a repository from settings governance
+user-invocable: true
+---
+
+# Exclude Repository
+
+Add a repository to the exclusion list in `config/overrides.json`.
+
+## Arguments
+
+`$ARGUMENTS` should be the repository name to exclude.
+
+## Steps
+
+1. Read the current `config/overrides.json`
+2. Add `$ARGUMENTS` to the `excluded` array (if not already present)
+3. Validate the resulting JSON with `jq empty`
+4. Show the updated exclusion list
+5. Remind the user to create a PR for the change

CLAUDE.md

@@ -14,7 +14,12 @@ a baseline, apply corrections, and report drift via GitHub Issues.
 - `.github/workflows/` — CI/CD and scheduled sync workflows
 - `.github/actions/` — Composite actions (security-scan, sync-settings,
   update-pre-commit-composite)
+- `.claude/skills/` — Reusable skills (`/audit`, `/add-repo-override`,
+  `/exclude-repo`)
+- `docs/architecture.md` — System architecture overview
 - `docs/adr/` — Architecture Decision Records
+- `docs/runbooks/` — Operational procedures (exclude repo, add setting,
+  handle drift, onboard repo)
 
 ## Git Workflow
 
@@ -73,6 +78,12 @@ commit hooks — see `.pre-commit-config.yaml` for the full list.
 - `.github/actions/update-pre-commit-composite/` — reusable
   pre-commit autoupdate + PR creation
 
+## Claude Code Skills
+
+- `/audit` — run a dry-run settings check across all repos
+- `/add-repo-override` — add a per-repo exception to overrides.json
+- `/exclude-repo` — exclude a repository from governance
+
 ## Code Review
 
 - CodeRabbit auto-review via `.coderabbit.yaml`

README.md

@@ -145,8 +145,15 @@ corrected in `--apply` mode.
 github-org-settings/
 ├── .claude/
 │   ├── settings.json               # Claude Code hooks config
-│   └── hooks/
-│       └── post-edit.sh             # Auto-format on edit
+│   ├── hooks/
+│   │   └── post-edit.sh             # Auto-format on edit
+│   └── skills/
+│       ├── audit/                   # /audit — dry-run settings check
+│       │   └── SKILL.md
+│       ├── add-repo-override/       # /add-repo-override — add exception
+│       │   └── SKILL.md
+│       └── exclude-repo/            # /exclude-repo — exclude a repo
+│           └── SKILL.md
 ├── .github/
 │   ├── actions/
 │   │   ├── security-scan/           # Composite: Semgrep + Trivy
@@ -173,10 +180,17 @@ github-org-settings/
 │   ├── baseline.json                # Settings enforced on all repos
 │   └── overrides.json               # Per-repo exceptions
 ├── docs/
-│   └── adr/
+│   ├── architecture.md              # System architecture overview
+│   ├── adr/
+│   │   ├── README.md
+│   │   ├── 001-settings-governance.md
+│   │   └── 002-sync-architecture.md
+│   └── runbooks/
 │       ├── README.md
-│       ├── 001-settings-governance.md
-│       └── 002-sync-architecture.md
+│       ├── add-setting.md           # How to add a new setting
+│       ├── exclude-repo.md          # How to exclude a repo
+│       ├── handle-drift.md          # How to respond to drift
+│       └── onboard-repo.md          # How to onboard a new repo
 ├── .coderabbit.yaml                 # CodeRabbit auto-review config
 ├── .gitignore
 ├── .markdownlint.yaml

docs/architecture.md

@@ -0,0 +1,104 @@
+# Architecture Overview
+
+## System Context
+
+This repository is the single source of truth for GitHub repository
+settings across all `gamaware` repositories. It acts as a control
+plane that reads a desired state from JSON configuration and
+reconciles it against the actual state via the GitHub API.
+
+```text
++---------------------+       +------------------+
+| config/             |       | GitHub API       |
+| baseline.json       |------>| (repos, branches,|
+| overrides.json      |       |  labels, security|
++---------------------+       +------------------+
+         |                            ^
+         v                            |
++---------------------+               |
+| scripts/            |               |
+| sync-repo-settings  |---------------+
+| generate-report     |
++---------------------+
+         |
+         v
++---------------------+
+| GitHub Issues       |
+| Job Summaries       |
+| Artifacts (90 days) |
++---------------------+
+```
+
+## Components
+
+### Configuration Layer (`config/`)
+
+- `baseline.json` — settings enforced on every repository
+- `overrides.json` — per-repo exceptions (status checks, exclusions)
+
+The effective configuration for a repo is the baseline deep-merged
+with its overrides. If no override exists, the baseline is used
+as-is.
+
+### Sync Engine (`scripts/`)
+
+`sync-repo-settings.sh` is the core reconciliation loop:
+
+1. **Discovery** — `gh repo list` finds all non-archived repos
+2. **Comparison** — for each repo, current state is fetched via API
+   and compared field-by-field against the effective config
+3. **Remediation** — in `--apply` mode, PATCH/PUT calls correct drift
+4. **Reporting** — a markdown report is generated with per-repo diffs
+
+The script handles 7 categories independently:
+
+| Category | API Endpoint | Method |
+| --- | --- | --- |
+| Repo settings | `repos/{owner}/{repo}` | PATCH |
+| Security | `repos/{owner}/{repo}` | PATCH |
+| Vulnerability alerts | `repos/{owner}/{repo}/vulnerability-alerts` | PUT |
+| Branch protection | `repos/{owner}/{repo}/branches/main/protection` | PUT |
+| Labels | `repos/{owner}/{repo}/labels` | POST |
+| Default branch | `repos/{owner}/{repo}` | PATCH |
+| Metadata | (advisory only) | — |
+
+### Composite Actions (`.github/actions/`)
+
+Reusable building blocks consumed by workflows:
+
+- `security-scan/` — Semgrep SAST + Trivy SCA with SARIF upload
+- `sync-settings/` — wraps the sync script with structured outputs
+- `update-pre-commit-composite/` — autoupdates hooks and creates PR
+
+### Workflows (`.github/workflows/`)
+
+| Workflow | Schedule | Purpose |
+| --- | --- | --- |
+| `sync-settings.yml` | Weekly Sunday 00:00 UTC | Settings enforcement |
+| `quality-checks.yml` | PR + push | Linting and validation |
+| `security.yml` | PR + push | SAST + SCA |
+| `update-pre-commit-hooks.yml` | Weekly Sunday 00:00 UTC | Hook version updates |
+
+### Reporting
+
+Drift is communicated through three channels:
+
+1. **GitHub Issues** — auto-created with `settings-drift` label when
+   drift is found, auto-closed when all repos are compliant
+2. **Job Summaries** — visible in the Actions run page
+3. **Artifacts** — full markdown report stored for 90 days
+
+## Security Model
+
+- The `ORG_SETTINGS_PAT` secret provides API access with `repo` and
+  `admin:org` scopes
+- Workflows use least-privilege `permissions` blocks
+- All third-party actions are pinned to SHA commits
+- Secret scanning and push protection are enforced on this repo too
+
+## Design Decisions
+
+Detailed rationale is documented in Architecture Decision Records:
+
+- [ADR 001: Settings Governance](adr/001-settings-governance.md)
+- [ADR 002: Sync Architecture](adr/002-sync-architecture.md)

docs/runbooks/README.md

@@ -0,0 +1,10 @@
+# Runbooks
+
+Operational procedures for managing GitHub organization settings.
+
+| Runbook | Purpose |
+| --- | --- |
+| [Exclude a Repository](exclude-repo.md) | Stop syncing settings to a repo |
+| [Add a New Setting](add-setting.md) | Enforce a new setting across all repos |
+| [Handle Drift](handle-drift.md) | Respond to drift detection issues |
+| [Onboard New Repository](onboard-repo.md) | Prepare a new repo for governance |

docs/runbooks/add-setting.md

@@ -0,0 +1,41 @@
+# Add a New Setting
+
+Enforce a new GitHub setting across all repositories.
+
+## Steps
+
+1. Identify the GitHub API field name for the setting. Check the
+   [GitHub REST API docs](https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#update-a-repository)
+
+2. Add the field to the appropriate section in `config/baseline.json`:
+   - `repo_settings` — repository-level toggles
+   - `security` — security features
+   - `branch_protection` — branch protection rules
+   - `labels` — standard labels
+   - `required_files` — files that must exist
+
+3. Update `scripts/sync-repo-settings.sh` if the new setting requires
+   a different API endpoint or comparison logic
+
+4. Update `README.md` to document the new setting and its purpose
+
+5. Test locally:
+
+   ```bash
+   ./scripts/sync-repo-settings.sh --dry-run
+   ```
+
+6. Create a PR. Review the dry-run output to confirm the expected
+   changes
+
+7. After merge, the next weekly run will apply the setting. For
+   immediate application, trigger manually:
+
+   ```bash
+   gh workflow run sync-settings.yml -f mode="--apply"
+   ```
+
+## Per-Repo Exceptions
+
+If a repo legitimately needs a different value, add an override in
+`config/overrides.json` under the repo name.

docs/runbooks/exclude-repo.md

@@ -0,0 +1,28 @@
+# Exclude a Repository
+
+Stop syncing settings to a specific repository.
+
+## When to Use
+
+- Third-party forks that must keep upstream settings
+- Temporary repos that will be deleted soon
+- Repos with fundamentally different governance needs
+
+## Steps
+
+1. Open `config/overrides.json`
+2. Add the repo name to the `excluded` array:
+
+   ```json
+   {
+     "excluded": ["repo-to-exclude"]
+   }
+   ```
+
+3. Create a PR with the change
+4. After merge, the next sync run will skip this repo
+
+## Reverting
+
+Remove the repo name from the `excluded` array and merge the PR.
+The next sync run will pick it up again.

docs/runbooks/handle-drift.md

@@ -0,0 +1,40 @@
+# Handle Drift Detection
+
+Respond to a `settings-drift` issue created by the sync workflow.
+
+## Triage
+
+1. Open the linked workflow run from the issue body
+2. Review the Job Summary to see which repos drifted and what changed
+3. Download the report artifact for full details
+
+## Common Causes
+
+| Cause | Action |
+| --- | --- |
+| Manual settings change via GitHub UI | Let the next `--apply` run fix it |
+| New repo created without governance | The sync will apply baseline settings |
+| Legitimate exception needed | Add an override in `config/overrides.json` |
+| PAT expired or lacks scopes | Rotate the `ORG_SETTINGS_PAT` secret |
+
+## Manual Fix
+
+If you need to fix drift immediately without waiting for the
+weekly run:
+
+```bash
+gh workflow run sync-settings.yml -f mode="--apply"
+```
+
+Or locally:
+
+```bash
+./scripts/sync-repo-settings.sh --apply
+```
+
+## Issue Lifecycle
+
+- The workflow auto-creates a new issue each time drift is found
+- Previous drift issues are auto-closed with a superseded comment
+- When all repos are compliant, open drift issues are auto-closed
+  with a compliant comment