feat(org): introduce COMMON/CTO/COO/CCO areas

- Add uppercase area directories; CCO placeholder only
- Move shared docs to COMMON (git workflow, CI bootstrap); update references
- Add DISCUSS.md to capture open questions and decisions

COMMON/README.md

@@ -0,0 +1,13 @@
+COMMON
+
+Purpose
+- Foundational, shared practices usable across projects.
+- Opinionated but adaptable; intended as a base layer.
+
+Contents (initial)
+- Git workflow (branching, merges, commit style)
+- CI/bootstrap parity guidance
+
+Notes
+- Keep content generic and reusable; project-specific overrides should live in the target repo.
+

COMMON/bootstrap-cicd.md

@@ -0,0 +1,21 @@
+Local CI Parity & Bootstrap
+
+Purpose
+- Provide a portable CI toolchain via a Dockerized image and compose file so that format/lint/build checks run identically locally and in CI.
+
+Components
+- `ci.Dockerfile` – builds the CI image with shellcheck, shfmt, hadolint, actionlint, yamllint, Node tools.
+- `docker/ci.compose.yml` – runs the CI container mounting the repo at `/workspace`.
+- `scripts/ci` – wrapper for phases: `format`, `lint`, `build`, `test`, `security`, `all`.
+- Git hooks – `.githooks/*` installed via `scripts/setup-hooks`.
+
+Usage
+- Install hooks: `make hooks-setup`
+- Quick checks: `make quick` (format + lint)
+- Full pass: `make check` (all phases)
+
+Notes
+- Pre-commit hook runs format/lint and commit message checks.
+- Pre-push hook runs build/test/security placeholders.
+- CI workflow runs on integration and protected branches when runners are enabled.
+

COMMON/git-workflow.md

@@ -0,0 +1,38 @@
+Git Workflow – Finalized Instructions
+
+Scope
+- Applies across projects. Contributors work via branches/PRs. CI/CD is Gitea‑native.
+
+Branches
+- main: production; default branch. Protected.
+- integration: development (unprotected; merges auto on green).
+- Working branches: `feature/<topic>`, `fix/<topic>`, `chore/<topic>` from integration.
+- Hotfix: `hotfix/<date>` from main; PR back to main, then forward‑merge into integration.
+- Release branch: ephemeral or lightweight `release/*`. Protect when present; may fast‑forward to latest tag via CI.
+
+Merges & Approvals
+- Feature → integration: squash merge; auto‑merge on green (no human approval). Self‑merge allowed.
+- integration → main: squash merge; require 1 approval; self‑merge not allowed.
+- Force pushes disabled on protected branches (`main`, `release/*`); PRs required.
+
+Commit Style
+- Conventional Commits for PR titles and commit messages.
+
+Versioning & Tags
+- Calendar tags: `vYYYY.MM.DD-HHMM` (UTC) for traceability.
+- Release tags: semantic or milestone tags (e.g., `v0.0.1-Bootstrap`).
+
+Release Flow
+1) Feature branches PR into integration; checks pass → auto‑merge.
+2) PR integration → main; 1 approval required; on merge, deploy and tag release.
+3) Optional: CI fast‑forwards a `release` branch pointer to the new tag.
+
+Protected Checks (enable when runners are ready)
+- On protected branches (`main`, `release/*`): ci / lint, ci / build, ci / commitlint. Add ci / test and ci / security when introduced.
+
+CODEOWNERS
+- Keep minimal; require review for integration → main.
+
+Notes
+- No secrets in this base repo. Future repos should integrate Vault for secrets.
+