governance: add .gitignore housekeeping and regular audits; implement audit script and CI step; update templates, proposal, and docs

collab/proposals/01-codexhelper.llm.md

@@ -19,6 +19,8 @@
 - Planning/Architecture Governance: plan ahead via Questions→Proposal→Plan; maintain a global architecture/module map; implement module-by-module; avoid refactors except when assumptions change and plans/docs are updated.
 - Clean Root Governance: keep repo root minimal; organize assets under `docs/`, `templates/`, `collab/`, `prompts/`, `modes/`, `scripts/`, `meta/`.
 - CI/Containers Governance: use Gitea Actions with local parity via Docker Compose; do work inside containers; host for git/tea + Docker orchestration; dependencies via Docker; explicit names/cleanup.
+ - .gitignore Governance: maintain `.gitignore` with `runs/` and OS ignores across repos and generated projects.
+ - Audits Governance: run audits regularly; prompt before releases; record under `docs/audits/`; enforce via CI step.
 - Phase 1 acceptance:
   - new-mode creates mode skeleton
   - new-project scaffolds without overwrites
@@ -33,6 +35,7 @@
   - clean root: root remains minimal; scaffolding organizes assets under subdirectories
   - ci/containers: Gitea Actions and local Docker Compose run identical workflows; explicit names and cleanup verified
   - project CI: scaffold includes `.gitea/workflows/ci.yml`, `docker/compose.yml`, `docker/test/Dockerfile`, and `scripts/test.docker.sh`
+  - audits: audit script present and run in CI; reports recorded in repo when performed
   - ci/containers: Gitea Actions and local Docker Compose run identical workflows; explicit names and cleanup verified
 \n+## Approval — Tick All That Apply
 

collab/proposals/01-codexhelper.md

@@ -43,7 +43,9 @@ Purpose: Implement a bash wrapper (CodexHelper) around codex-cli with “modes
 - Zero Technical Debt: safety first; always production-ready; no deferring tests/docs/refactors; leverage sub-agents when needed.
 - Planning/Architecture Governance: plan ahead via Questions→Proposal→Plan; keep a global architecture/module map; implement module-by-module; avoid refactors except when assumptions change and plans/docs are updated.
 - Clean Root Governance: keep repo root minimal; organize assets under `docs/`, `templates/`, `collab/`, `prompts/`, `modes/`, `scripts/`, `meta/`.
- - CI/Containers Governance: use Gitea Actions with local parity via Docker Compose; do work inside containers; host for git/tea and Docker only; dependencies via Docker; explicit names and cleanup.
+- CI/Containers Governance: use Gitea Actions with local parity via Docker Compose; do work inside containers; host for git/tea and Docker only; dependencies via Docker; explicit names and cleanup.
+ - .gitignore Governance: include and maintain `.gitignore` entries (e.g., `runs/`, OS files) across repos and generated projects.
+ - Audits Governance: perform regular audits; prompt before releases; store reports under `docs/audits/` and enforce via CI step.
 
 ## Project Layout (generated)
 - `AGENTS.md` (from `templates/project/_shared/AGENTS.md`)
@@ -109,7 +111,8 @@ Purpose: Implement a bash wrapper (CodexHelper) around codex-cli with “modes
 - Zero Debt honored: code, tests, and docs complete; no debt items remain.
 - Clean Root honored: only essential files at root; scaffolding places assets under subdirectories.
 - CI/Containers honored: CI runs in Gitea and locally using the same Docker Compose; containers and networks use explicit names and are cleaned up.
- - Project scaffold includes `.gitea/workflows/ci.yml`, `docker/compose.yml`, `docker/test/Dockerfile`, and `scripts/test.docker.sh` copied from templates.
+- Project scaffold includes `.gitea/workflows/ci.yml`, `docker/compose.yml`, `docker/test/Dockerfile`, and `scripts/test.docker.sh` copied from templates.
+ - Audits honored: audit script present and executed in CI; reports are recorded when performed.
 
 ## Open Items for Confirmation
 - Template coverage: include `prompts/style.md` by default? (we’ll include as optional, empty file)

collab/questions/02-branching.llm.md

@@ -0,0 +1,20 @@
+# 02 — Branching/Release — Confirm (LLM)
+
+- Goals: top 3 drivers for change? [ ]
+- Stability: main = always green release-ready OR docs-only? [ ]
+- Consumption: what must be on main for bootstrap? [ ]
+
+- Choose model:
+  - Trunk-based (main green; short-lived branches) [ ]
+  - WIP branch (main release-only; WIPhax/wip/*) [ ]
+  - GitFlow (main/develop/release/hotfix) [ ]
+
+- Repo content on main: A full repo [ ] / B no code/prompts [ ] / C minimal bootstrap [ ]
+- If B/C: where do code/prompts live? naming? [ ]
+
+- Protections: require CI checks on main [ ]; PR reviews [ ]; Conventional Commits [ ]; tags only for release-ready [ ]
+
+- Migration: baseline commit/tag [ ]; create branches [ ]; update CI protections [ ]; add docs/branching.md [ ]
+
+Final: Reply “Approved for Branching Plan” with choices to proceed.
+

collab/questions/02-branching.md

@@ -0,0 +1,54 @@
+# 02 — Branching/Release — Questions
+
+Purpose: Align on a clean, sustainable branch and release strategy before any changes. We will not implement until you approve.
+
+Context: You suggested moving active work to a `WIPhax` branch and keeping `main` limited to non-code assets (docs/collab/.gitea). Below are options and tradeoffs to decide together.
+
+## Goals & Constraints
+1) Primary goals: What are the top 3 goals driving this change? (e.g., keep `main` always pristine, minimize merge noise, avoid half-baked code on main, simplify consumption by other projects, etc.)
+
+main pristine
+avoid half-baked code on main
+simplify consumption by other projects
+
+
+2) Stability bar: Should `main` be “always green + release-ready” with protected branch/required CI? Or “docs-only” as you proposed?
+
+"always green + release ready" 
+
+3) Consumption: Will external automation/scripts rely on cloning `main` to bootstrap? If yes, what assets must be present on `main` (templates, prompts, wrapper) to keep bootstrapping simple?
+
+## Branching Models (pick one or adjust)
+4) Trunk-based (recommended):
+   - `main` = always green, release-ready. All commits pass CI (Docker) and TDD.
+   - Work happens on short-lived feature branches `feat/*`, `fix/*` merged via PR.
+   - Optional long-lived integration branch `next` for batching risky changes.
+5) WIP branch variant:
+   - `main` = release-ready only; heavy ongoing work on `WIPhax` (or `wip/*`), merged back via PR when green.
+   - Risk: drift between `WIPhax` and `main`, elevated merge pain if long-lived.
+6) GitFlow:
+   - `main` for releases; `develop` for integration; feature branches; release/hotfix branches.
+   - Heavier process; likely overkill unless multiple contributors and scheduled releases.
+
+## Repo Content Policy
+7) What exactly belongs on `main`? Options:
+   - A) Full repo (code + prompts + templates + docs) — but always green.
+   - B) Everything except code/prompts (your suggestion) — use branches/tags for code.
+   - C) Minimal bootstrap subset (AGENTS seeds, prompts/global, templates/_shared) + docs.
+   Please choose and list mandatory directories for `main`.
+8) If B or C: where do code/prompts live (branch names/tags)? How will downstream projects fetch them reliably?
+
+## CI/Gitea Protections
+9) Protect `main` with required checks (Docker tests) and linear history? Approve?
+10) Require PR reviews and enforce Conventional Commits? Approve?
+11) Tagging: continue `YYYY-MM-DD-HHMM`. Should `main` tags correspond only to release-ready points?
+
+## Migration Plan (once we choose)
+12) Baseline selection: pick commit/tag for the new `main` baseline.
+13) Branch ops: create `WIPhax`/`next`/`develop` as chosen; move ongoing TDD work there.
+14) CI updates: confirm branch protections and required checks in Gitea.
+15) Docs: add `docs/branching.md` describing the policy; update README.
+
+## Decision
+16) Please pick one model (4/5/6) and option (7 A/B/C), then reply “Approved for Branching Plan” (or edit inline). I’ll draft `collab/plan/02-branching.md` for review.
+