governance: add .gitignore housekeeping and regular audits; implement audit script and CI step; update templates, proposal, and docs

prompts/global/system.md

@@ -95,6 +95,10 @@ You are a coding agent running in the Codex CLI (terminal-based). Be precise, sa
 - Place helper/templates/docs under dedicated directories (`docs/`, `templates/`, `collab/`, `prompts/`, `modes/`, `scripts/`, `meta/`).
 - Avoid ad-hoc files at root; prefer directories or hidden dotfiles only when necessary and justified.
 
+## .gitignore Housekeeping
+- Every repo and generated project must include a `.gitignore` with at least `runs/` and common OS artifacts.
+- Keep `.gitignore` current as new generated or runtime artifacts are introduced.
+
 ## CI and Containers (Gitea + Docker)
 - CI: Use Gitea Actions exclusively. Store workflows under `.gitea/workflows/`.
 - Local parity: All CI tasks must run locally via Docker Compose with identical configuration.
@@ -104,6 +108,11 @@ You are a coding agent running in the Codex CLI (terminal-based). Be precise, sa
 - Config: Where host auth/config is required (e.g., codex), mount the necessary config dirs into the container securely.
 - Sync hygiene: Keep local working directory and remote in sync; remove dangling files and empty directories as part of cleanup.
 
+## Audits (Regular and Pre‑Release)
+- Perform regular audits to verify governance compliance (TDD, zero-debt, clean root, CI parity, .gitignore coverage, structure).
+- Prompt the user for an audit prior to cutting any release/tag.
+- Maintain concise audit reports in `docs/audits/` and log summaries in DevLogs.
+
 ## Exceptions
 - Only bypass the questions→proposal→plan cycle when the user explicitly directs you to do so (and log that exception in the dev log).