chore(ci): bootstrap CI + hooks

Squash-merge bootstrap-cicd into integration

instructions/bootstrap-cicd.md

@@ -0,0 +1,36 @@
+Bootstrap CI/CD – Finalized Instructions (Phase 1)
+
+Goal
+- Provide Docker‑only local checks and Git hooks with parity to future CI. CI workflows are prepared but may remain disabled until runners are ready.
+
+Requirements
+- Docker + Docker Compose v2 on the development machine. No host packages beyond Docker are required.
+
+Local Checks
+- Entry point: `scripts/ci <phase>` where phase ∈ {format, lint, build, test, security, all}.
+- Always runs inside the ci container using `docker/ci.compose.yml`.
+- Tools pinned in `ci.Dockerfile`: shfmt, shellcheck, hadolint, yamllint, actionlint, prettier, markdownlint, commitlint.
+
+Hooks
+- Install hooks: `make hooks-setup` (copies .githooks/* into .git/hooks).
+- pre-commit: runs format + lint.
+- commit-msg: runs commitlint (Conventional Commits).
+- pre-push: runs build; test and security are present but currently no‑ops.
+
+Convenience Targets
+- `make quick` → format + lint.
+- `make check` → all phases.
+- `make build` → compose validation.
+
+CI (Prepared, optional enablement later)
+- .gitea/workflows/ci.yml: builds ci image; runs lint + build.
+- .gitea/workflows/release.yml: on pushes to main, creates annotated tag vYYYY.MM.DD-HHMM (UTC).
+- .gitea/workflows/nightly.yml: nightly lint run.
+- All jobs run inside the ci image; no runner host package installs.
+
+Protected Checks (when CI is enabled)
+- Protect: ci / lint, ci / build, ci / commitlint. Add ci / test and ci / security when they exist.
+
+Future Extensions
+- Add tests/security phases per repo stack; enable CI branch protections once runners are ready; optionally add pre-commit framework as an alternative to native hooks.
+