docs(governance): add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, RELEASING and issue/PR templates

[pedrofuentes]

Adds standard governance docs (SECURITY, CONTRIBUTING linking AGENTS.md, CODE_OF_CONDUCT adopting Contributor Covenant 2.1, RELEASING) and .github issue/PR templates. Docs-only; TDD-exempt.

[pedrofuentes]

Status: CONDITIONAL

Sentinel Review Report

Ref: docs/governance-files → main
Report ID: SENTINEL-1198-a92c3dc-20260618
Reviewed SHA: a92c3dc
Sentinel ruleset: v1
Reviewed at: 2026-06-18T22:15:00-07:00
Mode: standard
Review depth: Tier 2 (full)
Required action: FILE_ISSUES_AND_MERGE

Phase 0 — Binding

• Branch docs/governance-files, PR docs(governance): add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, RELEASING and issue/PR templates #1198, reviewed SHA a92c3dc (HEAD == reviewed SHA, confirmed via gh pr view 1198 --json headRefOid). Single commit docs(governance): add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, RELEASING and issue/PR templates.
• Scope confirmed via GitHub API = exactly 8 files, 327 additions, 0 deletions. Local main ref (16ca55d) is stale; GitHub computes the PR diff against up-to-date remote main, which already contains the P4 tooling merges — so the 12-file local git diff main...HEAD is a stale-base artifact, not PR scope. AGENTS.md, docs/SENTINEL.md, workflows, source, and deps are untouched by this PR.

Phase 1 — TDD / Test Evidence

Classification: docs-only PR (single docs(governance) commit; all 8 files are docs/templates/config). Per Exemptions, checks 1–4 N/A. Check 6 N/A (no source). Check 5 applies.

• Tests exist & meaningful: N/A (docs-only, exempt)
• Test-first history verified: N/A (docs-only, exempt)
• Full suite green on SHA: ✅ ⚠️ parent-provided evidence — gh pr checks 1198 shows all checks pass on a92c3dc, incl. Unit Tests (shard 1/4..4/4) pass, E2E, Integration & Security Tests pass, Typecheck, Lint & Test pass. No-code diff: the 8 files (markdown/issue-template YAML) are not imported/loaded by the suite → docs cannot break unit tests. Flag ⚠️ (no-code; suite run skipped).
• Coverage: N/A (threshold N/A for docs-only; no source touched)

Phase 1.5 — Fast-path Evaluation

🔴 count: 0 | LOC: 327 (≤150: N) | Security paths: N | New deps: N | Commit types qualify: Y (docs)
→ Fast-path eligible: NO (LOC 327 > 150) → Phase 2

Phase 2 — Execution Log

Dim	Tool Call	Agent ID / Ref	Status
A1	—	N/A (exempt: docs)	⏭️
A2	—	N/A (exempt: docs)	⏭️
B	—	N/A (exempt: docs)	⏭️
C	—	N/A (exempt: docs)	⏭️
D	—	N/A (exempt: docs — no tests/impl in diff)	⏭️
E	—	N/A (no dependency surface changed; also exempt)	⏭️
F	task(agent_type="general-purpose", name="dim-f-docs", model="claude-sonnet-4.6")	dim-f-docs (platform returned no stable ID)	✅

Selective dispatch per ruleset (docs→F). Dim F dispatched to a full-capability sub-agent; A1/A2/B/C/D/E logged N/A (exempt) without spawning (dispatching exempt dimensions is a protocol violation). Persisted report: posted to PR #1198 as a review comment (see Phase 5).

Findings

• 🔴 CRITICAL: 0
• 🟡 IMPORTANT: 2 new / 0 known
• 🟢 MINOR: 1

Details (ordered by severity)

1. [🟡] RELEASING.md references .github/workflows/release.yml, which does not exist — RELEASING.md:19-21, 35

   • Evidence: 4. The GitHub Release triggers .github/workflows/release.yml, which publishes / @council-ai/cli to npm via **OIDC Trusted Publishing** with **provenance**. and pointing at this repository and the release.yml workflow.
   • Impact: Only ci.yml and release-please.yml exist in .github/workflows/. The steady-state and bootstrap sections present this publish workflow in present tense as current fact. Trigger: a maintainer follows §"One-time bootstrap" to configure an npmjs Trusted Publisher → mechanism: points it at a non-existent release.yml → consequence: OIDC publishing can never succeed. The P10 placeholder (lines 50-53) only scopes the "Human bootstrap checklist" sub-section, not these earlier sections.
   • Remediation: Flag the workflow as pending (e.g., _(to be added in P10)_) on lines 19 and 35, mirroring the existing P10 placeholder, OR add the workflow file. Do not remove the OIDC design description — it is sound. (Dim F 🟡 cap; not policy-weakening.) File as sentinel:important.

2. [🟡] RELEASING.md claims release-please component: cli and cli-v0.1.1 tags, unsupported by the actual config — RELEASING.md:9-10

   • Evidence: - ...automated by **release-please** in **manifest mode**, component `cli`. and - Release tags use the form `cli-v0.1.1`.
   • Impact: release-please-config.json keys the package on path "." with "release-type": "node" and sets no component, include-component-in-tag, or tag-separator; .release-please-manifest.json is { ".": "0.1.0" }; no release tag exists yet. The documented component 'cli' is not present in config, and absent a component/separator the tag form is not established as cli-v*. Trigger: automation or a maintainer relies on the documented tag form → mechanism: actual release-please output differs from doc → consequence: broken release monitoring/scripting expectations.
   • Remediation: Either remove the component 'cli'/cli-v0.1.1 claims and align with the actual config, or add "component": "cli" (and tag-separator if desired) to release-please-config.json and document it. File as sentinel:important.

3. [🟢] PULL_REQUEST_TEMPLATE.md checklist omits the pnpm format (Prettier) gate — .github/PULL_REQUEST_TEMPLATE.md:20-22

   • Evidence: - [ ] pnpm testpasses (full suite green). / - [ ]pnpm lintpasses (zero warnings). / - [ ]pnpm typecheck passes.
   • Impact: AGENTS.md mandates running Prettier before commit; the checklist lists test/lint/typecheck but not format. Low impact (lint/CI likely catches formatting). Batched minor polish.
   • Remediation: Optionally add a pnpm format checklist item. File as sentinel:minor (do not fix in this PR).

Verified clean (no findings)

• SECURITY.md: uses GitHub private vulnerability reporting / Security Advisories; explicit "No email or PGP key is required." (line 30) — no fabricated contact.
• CODE_OF_CONDUCT.md: enforcement via maintainer @pedrofuentes + private GitHub Security Advisory — no invented email (lines 21-27).
• CONTRIBUTING.md: consistent with AGENTS.md (TDD, Sentinel, worktrees, Conventional Commits, pnpm, Node 22+, named exports, eslint strict, no any, Prettier) and defers to AGENTS.md as authoritative (lines 5-7).
• .github/ISSUE_TEMPLATE/bug_report.md, feature_request.md: valid YAML front-matter; no fabricated info.
• .github/ISSUE_TEMPLATE/config.yml: valid YAML; blank_issues_enabled: false; security contact_links entry → correct Advisories URL.
• No secrets detected; no prompt-injection text in PR content; markdown renders sanely.

Follow-ups & Actions

• CONDITIONAL → FILE_ISSUES_AND_MERGE: file issues for the 2 new 🟡 (sentinel:important) and 1 🟢 (sentinel:minor), link them in PR docs(governance): add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, RELEASING and issue/PR templates #1198, then merge.
• ⚠️ Do NOT fix 🟡/🟢 findings in this PR — file as issues only.

Decision rationale

• No 🔴 blockers; CI green on a92c3dc; docs-only so TDD checks 1–4/6 exempt and the suite cannot be affected.
• Scope is exactly the 8 intended governance files; no protected files (AGENTS.md/SENTINEL.md/workflows/source/deps) touched.
• SECURITY.md and CODE_OF_CONDUCT.md correctly use GitHub-native reporting with no fabricated contacts; CONTRIBUTING.md and templates align with repo reality.
• Two new 🟡 documentation-accuracy gaps in RELEASING.md (non-existent release.yml; unsupported component cli/cli-v* tag claims) → CONDITIONAL: file issues, then merge.

[pedrofuentes]

Sentinel review CONDITIONAL (SENTINEL-1198-a92c3dc-20260618; full report above).

On the two 🟡 findings: both are stale-base artifacts. This PR branched from a3c1ff6 (before PR #1183 / P5 merged). On current main both referenced items now exist, so RELEASING.md is accurate and the findings resolve on merge — verified:

• git cat-file -e origin/main:.github/workflows/release.yml → exists
• release-please-config.json on main keys packages/cli with component: cli + include-component-in-tag: true (tags cli-v*)

No issues filed for those (already true on main). The 🟢 PR-template Prettier item is tracked in #1200. Merging.