Coding-Autopilot-System · OgeonX-Ai · Jun 11, 2026 · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
@@ -0,0 +1,8 @@
+# Organization-wide governance and community health defaults
+/.github/ @OgeonX-Ai
+/CODE_OF_CONDUCT.md @OgeonX-Ai
+/CONTRIBUTING.md @OgeonX-Ai
+/GOVERNANCE.md @OgeonX-Ai
+/SECURITY.md @OgeonX-Ai
+/SUPPORT.md @OgeonX-Ai
+/profile/ @OgeonX-Ai
@@ -0,0 +1,60 @@
+name: Bug report
+description: Report a reproducible defect
+title: "[Bug]: "
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Do not disclose vulnerabilities or credentials here. Use the security policy.
+  - type: input
+    id: version
+    attributes:
+      label: Version or commit
+      description: Include the branch, release, or full commit SHA.
+    validations:
+      required: true
+  - type: dropdown
+    id: environment
+    attributes:
+      label: Environment
+      options:
+        - Windows
+        - Linux
+        - macOS
+        - GitHub Actions
+        - Azure
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    id: description
+    attributes:
+      label: Problem
+      description: Describe expected and actual behavior.
+    validations:
+      required: true
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Reproduction
+      description: Provide the smallest repeatable sequence and sanitized logs.
+    validations:
+      required: true
+  - type: textarea
+    id: validation
+    attributes:
+      label: Validation attempted
+      description: List diagnostics, tests, or workarounds already attempted.
+    validations:
+      required: true
+  - type: checkboxes
+    id: safety
+    attributes:
+      label: Safety checks
+      options:
+        - label: I removed credentials, personal data, proprietary code, and sensitive prompts.
+          required: true
+        - label: This is not a security vulnerability.
+          required: true
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/Coding-Autopilot-System/.github/security/policy
+    about: Report vulnerabilities privately according to the organization security policy.
+  - name: Support guidance
+    url: https://github.com/Coding-Autopilot-System/.github/blob/main/SUPPORT.md
+    about: Review support scope and required diagnostic information.
@@ -0,0 +1,41 @@
+name: Feature request
+description: Propose a scoped, testable improvement
+title: "[Feature]: "
+labels:
+  - enhancement
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What user or operator problem should be solved?
+    validations:
+      required: true
+  - type: textarea
+    id: outcome
+    attributes:
+      label: Desired outcome
+      description: Define observable acceptance criteria without prescribing implementation.
+    validations:
+      required: true
+  - type: textarea
+    id: safety
+    attributes:
+      label: Safety and operational impact
+      description: Describe permissions, identities, data, automation, and rollback impact.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Explain existing workarounds or simpler options.
+  - type: checkboxes
+    id: readiness
+    attributes:
+      label: Readiness
+      options:
+        - label: I searched for existing issues and pull requests.
+          required: true
+        - label: I can help validate the change.
+          required: false
@@ -0,0 +1,29 @@
+## Intent
+
+<!-- Explain the problem and the smallest coherent solution. -->
+
+## Changes
+
+<!-- List the behavior changed. Avoid a file inventory. -->
+
+## Risk And Safety
+
+- [ ] Permissions, identities, secrets, and data boundaries were reviewed.
+- [ ] AI-generated output and autonomous behavior were reviewed by a human.
+- [ ] No credentials, personal data, proprietary code, or sensitive prompts were added.
+- [ ] Breaking changes and migration requirements are documented.
+
+## Verification
+
+<!-- Include exact commands and meaningful results. -->
+
+- [ ] Tests, linting, and repository validation pass.
+- [ ] Documentation and examples match actual behavior.
+
+## Rollback
+
+<!-- Explain how to safely revert or disable this change. -->
+
+## Reviewer Focus
+
+<!-- Identify the highest-risk decisions and files. -->
diff --git a/.planning/audits/260611-enterprise-governance-audit-fix/AUDIT-FIX.md b/.planning/audits/260611-enterprise-governance-audit-fix/AUDIT-FIX.md
@@ -0,0 +1,27 @@
+# Audit-Fix Report: Enterprise Governance
+
+Source: `audit-uat`
+Arguments: `--severity all --max 8`
+Date: 2026-06-11
+
+## Result
+
+Eight findings were classified as auto-fixable and resolved with traceable atomic
+commits. No attempted fix failed validation.
+
+| ID | Finding | Status |
+|---|---|---|
+| F-01 | Contribution and conduct standards | Fixed |
+| F-02 | Vulnerability reporting policy | Fixed |
+| F-03 | Support boundaries | Fixed |
+| F-04 | Shared issue and pull request intake | Fixed |
+| F-05 | Governance and ownership controls | Fixed |
+| F-06 | Dependency and release policies | Fixed |
+| F-07 | Portfolio navigation | Fixed |
+| F-08 | Repeatable community health validation | Fixed |
+
+## Manual Backlog
+
+License choice, live branch protection/rulesets, organization Actions policy, security
+feature configuration, and production vulnerability-reporting operations require
+maintainer or organization-setting decisions.
diff --git a/.planning/phases/01-enterprise-governance/01-UAT.md b/.planning/phases/01-enterprise-governance/01-UAT.md
@@ -0,0 +1,25 @@
+# Enterprise Governance UAT
+
+Date: 2026-06-11
+Source: `$gsd-audit-fix --severity all --max 8`
+
+## Audit-Fix Classification
+
+| ID | Finding | Severity | Classification | Reason |
+|---|---|---|---|---|
+| F-01 | Shared contribution and conduct standards are absent | High | Auto-fixable | Standard community health files have a clear location and contract |
+| F-02 | No private vulnerability reporting policy exists | High | Auto-fixable | Security policy and response targets are directly testable |
+| F-03 | Support channels and boundaries are undefined | Medium | Auto-fixable | Shared support policy has an unambiguous location |
+| F-04 | Repositories do not inherit structured issue and PR intake | High | Auto-fixable | GitHub shared template locations are defined |
+| F-05 | Ownership, decisions, and autonomous change controls are undefined | High | Auto-fixable | Governance policy and CODEOWNERS are directly implementable |
+| F-06 | Dependency and release controls are undocumented | High | Auto-fixable | Organization policies can state minimum repository requirements |
+| F-07 | Organization profile omits the workstation entry point and standards | Medium | Auto-fixable | Portfolio inventory confirms the missing repository and policy navigation |
+| F-08 | Community health defaults have no repeatable validation | Medium | Auto-fixable | A local contract test can verify required files and content |
+
+## Manual-Only Findings
+
+- Choose an explicit license for this repository and organization-wide defaults.
+- Configure branch protection or repository rulesets on default branches.
+- Require signed commits or web commit signoff if it matches the maintainer workflow.
+- Configure organization Actions policy, security features, and Dependabot per executable repository.
+- Establish a production disclosure mailbox or private vulnerability reporting on every repository.
diff --git a/.planning/phases/01-enterprise-governance/01-VERIFICATION.md b/.planning/phases/01-enterprise-governance/01-VERIFICATION.md
@@ -0,0 +1,32 @@
+# Enterprise Governance Verification
+
+Date: 2026-06-11
+
+## Baseline Evidence
+
+- GitHub community profile health before change: 25%.
+- Community profile reported no code of conduct, contributing guide, issue template,
+  pull request template, license, or recognized README.
+- Default branch protection endpoint reported `Branch not protected`.
+- Repository rulesets endpoint returned an empty collection.
+
+## Validation Contract
+
+Run:
+
+```powershell
+pwsh -NoProfile -File scripts/Test-CommunityHealth.ps1
+git diff --check origin/main...HEAD
+```
+
+Expected:
+
+- all required shared community health files exist and are non-empty;
+- security, pull request, issue-form, and portfolio contracts pass;
+- no whitespace errors are introduced.
+
+## Result
+
+The validation contract passed locally after all eight auto-fixable findings were
+implemented. Live GitHub inheritance and community health scoring require merge to the
+default branch and are therefore a post-merge verification step.
@@ -0,0 +1,30 @@
+# Code of Conduct
+
+## Our Commitment
+
+We are committed to a professional, inclusive, and harassment-free community for
+everyone, regardless of background, identity, experience, or ability.
+
+## Expected Behavior
+
+- Communicate respectfully and focus criticism on technical work.
+- Be clear about uncertainty, limitations, and conflicts of interest.
+- Protect private information, credentials, and security-sensitive details.
+- Accept constructive feedback and correct mistakes transparently.
+- Use AI-assisted contributions responsibly and review generated output.
+
+## Unacceptable Behavior
+
+- Harassment, threats, discrimination, or personal attacks.
+- Publishing another person's private information without permission.
+- Knowingly submitting malicious, deceptive, plagiarized, or unsafe content.
+- Using community channels to disclose exploitable security details.
+
+## Enforcement
+
+Report conduct concerns privately to `OgeonX@gmail.com`. Maintainers will review
+reports promptly, protect confidentiality where practical, and may remove content or
+restrict participation when necessary.
+
+This policy applies in organization repositories, discussions, issues, pull requests,
+and other official community spaces.
@@ -0,0 +1,46 @@
+# Contributing
+
+Contributions are welcome when they improve the Coding Autopilot System portfolio
+without weakening its safety boundaries.
+
+## Before You Start
+
+1. Search existing issues and pull requests.
+2. Open an issue before making a cross-repository, architectural, or breaking change.
+3. Never include credentials, personal data, private prompts, or proprietary source.
+4. Keep autonomous changes bounded, reviewable, and reversible.
+
+## Development Workflow
+
+1. Fork or branch from the repository's default branch.
+2. Make the smallest coherent change.
+3. Add or update tests and documentation.
+4. Run the repository's documented validation commands.
+5. Open a pull request using the shared template.
+
+Use conventional commit subjects where practical, for example:
+
+```text
+feat(scope): add bounded capability
+fix(scope): handle failed validation
+docs(scope): clarify operator runbook
+```
+
+## Pull Request Standard
+
+A pull request must explain intent, risk, verification, and rollback. Changes to
+workflows, identities, permissions, dependencies, or autonomous behavior require
+explicit reviewer attention.
+
+Maintainers may close changes that are unsafe, untested, unrelated to the repository,
+or generated without meaningful human review.
+
+## Responsible AI Expectations
+
+- Treat model output as untrusted input.
+- Require human approval before consequential or destructive actions.
+- Apply least privilege to tools, identities, and repository permissions.
+- Preserve audit evidence for autonomous operations.
+- Document known limitations and failure modes.
+
+By participating, you agree to follow the [Code of Conduct](CODE_OF_CONDUCT.md).
@@ -0,0 +1,43 @@
+# Governance
+
+Coding Autopilot System is a maintainer-led engineering portfolio. Governance favors
+clear ownership, auditable decisions, and bounded automation over process volume.
+
+## Roles
+
+- **Maintainer:** sets direction, approves releases, manages security reports, and
+  owns repository settings.
+- **Contributor:** proposes scoped changes and supplies validation evidence.
+- **Automation:** may analyze, test, document, or prepare changes, but is not an
+  accountable approver.
+
+The current maintainer is [@OgeonX-Ai](https://github.com/OgeonX-Ai).
+
+## Decision Model
+
+Routine, reversible changes are decided through pull-request review. Breaking,
+cross-repository, security-sensitive, or architectural changes require an issue or
+decision record before implementation.
+
+The maintainer has final decision authority and documents material trade-offs in the
+relevant issue, pull request, or architecture record.
+
+## Change Controls
+
+- Default branches should reject direct pushes and require passing validation.
+- Pull requests must document intent, risk, verification, and rollback.
+- Workflow, identity, permission, dependency, and autonomous-action changes receive
+  explicit security review.
+- Releases use immutable source commits and documented release notes.
+- Emergency changes remain reviewable and receive retrospective evidence.
+
+## Autonomous System Boundaries
+
+Automation must operate with least privilege, bounded scope, explicit inputs, and
+observable outputs. Human approval is required before destructive, externally
+consequential, or production-changing actions. Model output is always untrusted input.
+
+## Policy Changes
+
+Changes to organization-wide policies use a pull request in this repository. Repository
+specific policies may be stricter and take precedence for that repository.