chore: harden local CI and secret scanning

[Ikalus1988]

PR Draft: chore: harden local CI and secret scanning

Summary

• Harden full-scope PR gates so secret scanning, dependency audit, and pytest failures fail the workflow instead of only warning.
• Expand scripts/check_worker_secrets.py from worker-only scanning to tracked repository text scanning, add broader GitHub token patterns, avoid echoing matched secret snippets, and keep worker env-missing checks.
• Add local maintainer entry points in Makefile and README, including install/test/lint/audit/validate targets and Windows command equivalents.
• Fix editable package installation by constraining setuptools discovery to misakanet*.
• Fix cross-platform issues surfaced by local validation: Windows core lesson path detection, dashboard SQLite handle cleanup, token fallback warnings on Windows, and CI self-heal tests with unavailable POSIX bash.
• Remove literal secret-shaped fixtures from fatal-guard redaction tests while preserving redaction coverage.

Validation

• python -m pre_commit run --files .github/workflows/pr-checks.yml .gitignore Makefile README.md pyproject.toml scripts/check_worker_secrets.py packages/fatal-guard/tests/redact-compliance.js misakanet/search/engine.py misakanet/tools/dashboard.py hub/master/token_manager.py tests/test_ci_self_heal.py tests/test_dashboard.py tests/test_token_manager_nokeyring.py
• python -m pytest --cov=misakanet --cov-report=term --cov-fail-under=20 tests/ → 118 passed, 3 skipped, coverage 45.55%.
• python scripts/check_worker_secrets.py → 0 errors, 0 warnings.
• node packages/fatal-guard/tests/redact-compliance.js → 7/7 patterns passed.

Notes

• Commit: ca38dc3 chore: harden local CI and secret scanning
• DCO: Signed-off-by included.
• Push was attempted twice but the local network could not connect to GitHub over port 443.

[github-actions]

🧾 Audit Report — PR #251 (ca38dc3)

📊 Quality Score: ?/100

No deductions.

🔏 DCO Audit

❌ ** commit(s)** missing Signed-off-by.

📏 PR Size

Metric	Value
Files Changed	13
Lines Added	583

🧪 Test Suite

❌ FAIL — tests have failures

📋 Lesson Schema

⏭️ Skipped (no lessons changed).

⚖️ Verdict

❌ DCO audit failed.
❌ Test suite failed.

---

Scope: full | Triggered by ca38dc3 | View run

[github-actions]

🧾 Audit Report — PR #251 (cc8ce19)

📊 Quality Score

⚠️ Quality score unavailable; continuing with hard gates.

🔏 DCO Audit

✅ All commits signed-off.

📏 PR Size

Metric	Value
Files Changed	13
Lines Added	593
⚠️ Warning	Warn 13 files changed (threshold: 10); 593 lines added (threshold: 500)

🧪 Test Suite

❌ FAIL — tests have failures

📋 Lesson Schema

⏭️ Skipped (no lessons changed).

⚖️ Verdict

❌ Test suite failed.

---

Scope: full | Triggered by cc8ce19 | View run

[github-actions]

🧾 Audit Report — PR #251 (f841277)

📊 Quality Score

⚠️ Quality score unavailable; continuing with hard gates.

🔏 DCO Audit

✅ All commits signed-off.

📏 PR Size

Metric	Value
Files Changed	15
Lines Added	607
⚠️ Warning	Warn 15 files changed (threshold: 10); 607 lines added (threshold: 500)

🧪 Test Suite

❌ FAIL — tests have failures

📋 Lesson Schema

⏭️ Skipped (no lessons changed).

⚖️ Verdict

❌ Test suite failed.

---

Scope: full | Triggered by f841277 | View run

[Ikalus1988]

Closing this maintainer PR to keep the active queue clean.

The useful, low-risk fix discovered while reviewing this PR has been split out and pushed directly to main:

• 9f6842c ? fix(search): detect core lessons across platforms

That fixes the real Windows path issue where lessons/core/... was not detected as a core lesson, causing boost-ranking tests to fail locally on Windows.

The remaining changes in this PR mix CI hardening, dependency audit policy, packaging, secret scanning, token-manager behavior, docs, and test updates across many files. That is too broad for one self-authored maintainer PR, especially while the audit job is red for environment/packaging reasons.

Follow-up plan: re-submit any still-needed hardening as smaller maintainer commits or focused PRs (for example: dependency audit only, secret scanner only, CI workflow only).