Add community health files, AGENTS.md, and security CI

Community health (Closes #15):
- CONTRIBUTING.md with dev setup, test commands, PR guidelines
- SECURITY.md with private vulnerability reporting guidance
- CODE_OF_CONDUCT.md (Contributor Covenant 2.1)
- .github/CODEOWNERS
- .github/ISSUE_TEMPLATE/ (bug report, feature request, config)
- .github/PULL_REQUEST_TEMPLATE.md

Agent instructions (Closes #16):
- AGENTS.md with project overview, dev commands, architecture, conventions
- CLAUDE.md, GEMINI.md, .github/copilot-instructions.md pointers

Security scanning (Closes #17):
- .github/workflows/security.yml with Trivy + gitleaks
- Weekly cron schedule (Monday 6am UTC)
- step-security/harden-runner on all jobs
- Fix ci.yml concurrency to protect main from cancellation

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @SebTardif

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,72 @@
+name: Bug report
+description: Report a bug in the Patchloom VS Code extension
+title: "bug: "
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for the report.
+
+        Include the output of `Patchloom: Show Status` if relevant.
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: What is going wrong?
+      placeholder: A short description of the bug.
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Reproduction steps
+      description: List the smallest sequence of steps that reproduces the issue.
+      placeholder: |
+        1. Open a workspace
+        2. Run command `...`
+        3. Observe `...`
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      placeholder: What should have happened?
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+      placeholder: What happened instead?
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant output
+      description: Paste error messages or Patchloom Show Status output.
+      render: shell
+  - type: input
+    id: vscode-version
+    attributes:
+      label: VS Code version
+      placeholder: "1.90.0"
+    validations:
+      required: false
+  - type: input
+    id: patchloom-version
+    attributes:
+      label: Patchloom CLI version
+      placeholder: "0.1.0"
+    validations:
+      required: false
+  - type: input
+    id: environment
+    attributes:
+      label: Environment
+      placeholder: macOS 15, Windows 11, WSL, Remote SSH, etc.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Patchloom CLI issues
+    url: https://github.com/patchloom/patchloom/issues
+    about: For bugs in the CLI itself (not the extension), file an issue on the main repo.
+  - name: Security reporting policy
+    url: https://github.com/patchloom/patchloom-vscode/blob/main/SECURITY.md
+    about: Do not post security vulnerabilities publicly. Read the private reporting policy first.

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,36 @@
+name: Feature request
+description: Propose a new extension capability or improvement
+title: "feat: "
+labels:
+  - enhancement
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem to solve
+      description: What workflow or limitation are you trying to address?
+      placeholder: Describe the user problem first.
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: What change would you like to see?
+      placeholder: Describe the command, behavior, or UI you want.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      placeholder: Other approaches or why current behavior is not enough.
+    validations:
+      required: false
+  - type: checkboxes
+    id: contribution
+    attributes:
+      label: Contribution intent
+      options:
+        - label: I am willing to help implement this after scope is aligned
+          required: false

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,20 @@
+## Summary
+
+Describe the change in a few sentences.
+
+## Why
+
+Explain why this change is needed.
+
+## Verification
+
+List the checks you ran.
+
+- 
+
+## Checklist
+
+- [ ] All commits in this pull request are signed off with `git commit -s`
+- [ ] I ran `npm run check` and it passes
+- [ ] I updated docs if user-facing behavior changed
+- [ ] I am contributing this work under the repository license (MIT)

.github/copilot-instructions.md

@@ -0,0 +1,3 @@
+# Copilot
+
+See [AGENTS.md](../../AGENTS.md) for project conventions, dev commands, and coding standards.

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
 
 concurrency:
   group: ci-${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
   build:

.github/workflows/security.yml

@@ -0,0 +1,81 @@
+name: Security
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"  # Monday 6am UTC
+  workflow_dispatch:
+
+concurrency:
+  group: security-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+permissions:
+  contents: read
+
+jobs:
+  trivy:
+    name: Trivy
+    runs-on:
+      - self-hosted
+      - macOS
+      - ARM64
+      - patchloom-vscode
+    timeout-minutes: 10
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
+      - name: Install Trivy
+        run: |
+          if ! command -v trivy &>/dev/null; then
+            brew install trivy
+          fi
+      - name: Trivy filesystem scan
+        run: trivy fs --scanners vuln --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed .
+
+  gitleaks:
+    name: Gitleaks
+    runs-on:
+      - self-hosted
+      - macOS
+      - ARM64
+      - patchloom-vscode
+    timeout-minutes: 5
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install gitleaks
+        env:
+          GITLEAKS_VERSION: "8.30.1"
+        run: |
+          if command -v gitleaks &>/dev/null; then
+            echo "gitleaks already installed"
+            exit 0
+          fi
+          archive="${RUNNER_TEMP}/gitleaks.tar.gz"
+          bindir="${RUNNER_TEMP}/gitleaks-bin"
+          mkdir -p "$bindir"
+          case "$(uname -s)-$(uname -m)" in
+            Linux-x86_64)  platform="linux_x64" ;;
+            Linux-aarch64) platform="linux_arm64" ;;
+            Darwin-x86_64) platform="darwin_x64" ;;
+            Darwin-arm64)  platform="darwin_arm64" ;;
+            *) echo "Unsupported platform: $(uname -s)-$(uname -m)" >&2; exit 1 ;;
+          esac
+          curl --retry 5 --retry-all-errors --retry-delay 2 -sSfL \
+            -o "$archive" \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_${platform}.tar.gz"
+          tar -xzf "$archive" -C "$bindir" gitleaks
+          printf '%s\n' "$bindir" >> "$GITHUB_PATH"
+      - run: gitleaks detect --source . --exit-code 1

AGENTS.md

@@ -0,0 +1,89 @@
+# AGENTS.md
+
+## Project overview
+
+Patchloom for VS Code is the official VS Code extension for [Patchloom](https://github.com/patchloom/patchloom). It detects the Patchloom CLI, generates agent rules, configures MCP servers, and provides quick actions from the command palette. The extension is a thin wrapper around the `patchloom` binary with dependency-injected helpers for testability.
+
+## Dev commands
+
+| Command | What it does |
+|---------|-------------|
+| `npm run compile` | Compile extension source (`tsc -p ./`) |
+| `npm run compile-tests` | Compile test source (`tsc -p ./tsconfig.test.json`) |
+| `npm run watch` | Watch mode for extension source |
+| `npm run test:unit` | Run unit tests (`node --test ./out-test/test/unit/*.test.js`) |
+| `npm run test:extension` | Run VS Code extension integration tests |
+| `npm run test` | Compile + compile-tests + unit tests + extension tests |
+| `npm run package` | Package the `.vsix` using `@vscode/vsce` |
+| `npm run check` | Full CI gate: test + package |
+
+Always run `npm run check` before committing.
+
+## Project structure
+
+```
+src/
+  extension.ts           Thin entrypoint: registers commands, status bar, config listeners
+  binary/patchloom.ts    Binary discovery, version parsing, compatibility assessment
+  commands/
+    configureMcp.ts      Configure MCP command: multi-target MCP config injection
+    initializeProject.ts Initialize Project command: generate/diff AGENTS.md
+    quickActions.ts       Quick Action command: replace, tidy, doc set with diff preview
+    setupWorkspace.ts     Setup Workspace command: guided readiness walkthrough
+    showStatus.ts         Show Status command: diagnostics display
+  install/managed.ts     Managed install safety: checksum, staging, promotion, rollback, persistence
+  mcp/config.ts          MCP config file operations: inspect, configure, resolve targets
+  status/statusBar.ts    Status bar item: create, refresh, dispose
+  workspace/readiness.ts Workspace readiness: environment detection, folder selection
+test/
+  unit/                  Unit tests (node:test, dependency-injected, no VS Code API)
+    binary.test.ts       Binary discovery, managed install, compatibility (32 tests)
+    binaryDiscovery.test.ts  Real executable discovery on PATH (10 tests)
+    initializeProject.test.ts  Status display, agents file classification (14 tests)
+    managedLifecycle.test.ts   Managed install with real file I/O (10 tests)
+    mcpConfig.test.ts    MCP config with real temp directories (9 tests)
+    quickActions.test.ts Quick action command building (6 tests)
+  suite/
+    index.ts             VS Code extension integration tests
+    runExtensionTests.ts  Test runner using @vscode/test-electron
+```
+
+## Architecture conventions
+
+### Entrypoint
+
+`extension.ts` is thin. It registers commands, sets up the status bar listener, and delegates all logic to submodules.
+
+### Dependency injection
+
+All I/O-dependent functions accept an `inputs` object with injectable callbacks for file reads, writes, shell execution, etc. This keeps unit tests fast and deterministic. Default implementations use real `node:fs/promises` and `node:child_process`.
+
+### Testing
+
+- Unit tests use `node:test` and run without VS Code.
+- Extension tests use `@vscode/test-electron` and launch a real VS Code instance.
+- Tests compile to `out-test/` via `tsconfig.test.json`.
+- Use `tempfile` directories for real I/O tests.
+
+### Binary resolution order
+
+1. `patchloom.path` setting (explicit user config)
+2. `PATH` discovery (find executable named `patchloom`)
+3. Managed install (global storage directory)
+
+### MCP config targets
+
+| Target | Config file | Key |
+|--------|------------|-----|
+| VS Code workspace | `.vscode/mcp.json` | `servers` |
+| Cursor workspace | `.cursor/mcp.json` | `servers` |
+| Windsurf user | `~/.codeium/windsurf/mcp_config.json` | `mcpServers` |
+
+## Coding conventions
+
+- TypeScript strict mode.
+- No `any` types without justification.
+- Pure helpers with injected I/O for testability.
+- Keep `extension.ts` thin. No business logic in the entrypoint.
+- `npm run check` is the full gate. Nothing merges unless it passes.
+- All commits require a `Signed-off-by` line (DCO). Use `git commit -s`.

CLAUDE.md

@@ -0,0 +1,3 @@
+# Claude Code
+
+See [AGENTS.md](AGENTS.md) for project conventions, dev commands, and coding standards.