[codex] Prepare repository for public release

.github/workflows/ci.yml

@@ -0,0 +1,59 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - main
+
+jobs:
+  test:
+    name: Rust checks (${{ matrix.os }})
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Format
+        run: cargo fmt --check
+      - name: Clippy
+        run: cargo clippy --workspace --all-targets -- -D warnings
+      - name: Test
+        run: cargo test --workspace --locked
+
+  audit:
+    name: Dependency audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: rustsec/audit-check@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  secrets:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - name: Install Gitleaks
+        env:
+          GITLEAKS_VERSION: 8.30.1
+        run: |
+          set -euo pipefail
+          tmp="$(mktemp -d)"
+          trap 'rm -rf "$tmp"' EXIT
+          base="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}"
+          artifact="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          curl -sSfL "${base}/${artifact}" -o "${tmp}/${artifact}"
+          curl -sSfL "${base}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" -o "${tmp}/checksums.txt"
+          (cd "$tmp" && grep "  ${artifact}$" checksums.txt | sha256sum -c -)
+          tar -xzf "${tmp}/${artifact}" -C "$tmp" gitleaks
+          sudo install -m 0755 "${tmp}/gitleaks" /usr/local/bin/gitleaks
+      - name: Scan
+        run: gitleaks detect --source . --config .gitleaks.toml --redact --verbose

.gitignore

@@ -15,6 +15,7 @@
 
 # Local-only config (per-user settings, permissions)
 *.local.json
+.claude/settings.json
 
 # OS
 .DS_Store

.gitleaks.toml

@@ -0,0 +1,26 @@
+title = "Tempyr secret scanning"
+
+[extend]
+useDefault = true
+
+[[allowlists]]
+description = "Intentional fake credentials used by redaction and no-leak tests"
+condition = "AND"
+paths = [
+  '''crates/tempyr-cli/src/commands/onboarding\.rs''',
+  '''crates/tempyr-cli/tests/integration\.rs''',
+  '''crates/tempyr-index/src/embeddings\.rs''',
+  '''crates/tempyr-journal/src/redact\.rs''',
+  '''crates/tempyr-journal/src/writer\.rs''',
+]
+regexes = [
+  '''pa-1234567890abcdef''',
+  '''AIzaSyA-LongerLookingKey123''',
+  '''sk-doctor-test-secret-must-not-leak''',
+  '''sk-mcp-doctor-secret-must-not-leak''',
+  '''sk-ant-abcdefghijklmnop1234567890qrstuvwx''',
+  '''sk-proj-abc1234567890defghij''',
+  '''ghp_abcdefghijklmnopqrstuvwxyz0123456789AB''',
+  '''AKIAIOSFODNN7EXAMPLE''',
+  '''MIIEvQ\.\.\.etc''',
+]

CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+All notable changes to Tempyr will be documented here.
+
+This project follows human-readable release notes. Until the first tagged
+release, changes are tracked through pull requests and the `master`
+branch history.
+
+## Unreleased
+
+- Initial public-readiness documentation and CI setup.

CODE_OF_CONDUCT.md

@@ -0,0 +1,12 @@
+# Code of Conduct
+
+Tempyr contributors are expected to keep project spaces respectful,
+professional, and focused on the work.
+
+Do not harass, threaten, insult, or deliberately derail other contributors.
+Assume good intent where reasonable, but prioritize clear technical discussion
+and maintainers' moderation decisions.
+
+Report conduct concerns privately by opening a GitHub Security Advisory at
+https://github.com/cleak/tempyr/security/advisories/new. Maintainers will keep
+reports confidential.

CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# Contributing
+
+Thanks for helping improve Tempyr.
+
+## Development Setup
+
+Install the stable Rust toolchain, then run the standard checks from the
+repository root:
+
+```sh
+cargo fmt --check
+cargo clippy --workspace --all-targets -- -D warnings
+cargo test --workspace --locked
+cargo audit
+gitleaks detect --source . --config .gitleaks.toml --redact --verbose
+```
+
+`cargo audit` and `gitleaks` are separate developer tools; install them before
+running the full local suite.
+
+The source install path targets the CLI crate:
+
+```sh
+cargo install --path crates/tempyr-cli --locked
+```
+
+## Pull Requests
+
+- Keep changes focused on one behavior or documentation area.
+- Add or update tests for user-visible behavior changes.
+- Do not commit secrets, `.env` files, local agent settings, generated indexes,
+  or rendered output unless a maintainer explicitly asks for them.
+- When changing graph or journal behavior, update the relevant docs under
+  `docs/`.
+
+## Agent-Specific Files
+
+The checked-in `.claude/skills` and `.claude/agents` files are examples for
+Claude Code integration. Active hook settings are intentionally not committed;
+copy the example from `docs/claude-settings.example.json` or generate them
+locally with `tempyr init` when needed.

Cargo.toml

@@ -20,7 +20,7 @@ license = "MIT OR Apache-2.0"
 [workspace.dependencies]
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-serde_yml = "0.0.12"
+serde_yaml = "0.9"
 toml = "0.8"
 chrono = { version = "0.4", features = ["serde"] }
 uuid = { version = "1", features = ["v4"] }

README.md

@@ -45,21 +45,23 @@ cargo build --workspace
 Install the CLI from the local checkout:
 
 ```sh
-cargo install --path crates/tempyr-cli
+cargo install --path crates/tempyr-cli --locked
 ```
 
 Confirm the binary is available:
 
 ```sh
-tempyr doctor
+tempyr --help
 ```
 
 ## Quick Start
 
-Initialize a Tempyr project:
+Create or enter a project directory, then initialize Tempyr:
 
 ```sh
-tempyr init
+mkdir tempyr-demo
+cd tempyr-demo
+tempyr init --no-wizard
 ```
 
 Add a node:
@@ -92,6 +94,12 @@ Render a document from a root node:
 tempyr render prd feat-session-replay --output renders/session-replay-prd.md
 ```
 
+Inspect project health:
+
+```sh
+tempyr doctor
+```
+
 Start an interview from a brain dump:
 
 ```sh
@@ -117,11 +125,12 @@ provider-specific keys you need. `.env` is intentionally ignored by git.
 Useful commands:
 
 ```sh
-cargo build
-cargo test
+cargo build --workspace --locked
+cargo test --workspace --locked
 cargo test --lib
-cargo clippy
+cargo clippy --workspace --all-targets -- -D warnings
 cargo fmt --check
+cargo audit
 cargo run -- <subcommand>
 ```
 

RELEASE.md

@@ -0,0 +1,34 @@
+# Release Process
+
+1. Run the full local check suite:
+
+   ```sh
+   cargo fmt --check
+   cargo clippy --workspace --all-targets -- -D warnings
+   cargo test --workspace --locked
+   cargo audit
+   gitleaks detect --source . --config .gitleaks.toml --redact --verbose
+   ```
+
+2. Update `CHANGELOG.md` with user-facing changes.
+3. Confirm the managed Claude settings example matches the embedded asset:
+
+   ```sh
+   git diff --no-index --exit-code docs/claude-settings.example.json crates/tempyr-cli/assets/claude.settings.json
+   ```
+
+4. Confirm install scripts still work on their target platforms:
+
+   ```sh
+   bash install.sh --no-path-update
+   powershell -ExecutionPolicy Bypass -File .\install.ps1 -NoPathUpdate
+   ```
+
+5. Tag the release:
+
+   ```sh
+   git tag -a v0.1.0 -m "Tempyr v0.1.0"
+   git push origin v0.1.0
+   ```
+
+6. Publish release notes from the changelog entry.

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Reporting Vulnerabilities
+
+Please report suspected vulnerabilities privately by opening a GitHub security
+advisory on this repository. If advisories are unavailable, contact the
+maintainers through the repository owner profile and avoid posting exploit
+details in a public issue.
+
+Include:
+
+- Affected version or commit.
+- Impact and expected exposure.
+- Steps to reproduce, if safe to share.
+- Any suggested fix or mitigation.
+
+## Secret Handling
+
+Tempyr reads provider keys from the environment or local `.env` files. Do not
+commit real API keys, tokens, private keys, or generated local configuration.
+The repository includes fake secret-shaped strings in redaction tests; they are
+allowlisted in `.gitleaks.toml` for scanner noise only and are not usable
+credentials. GitHub's native secret scanning may still report these fixtures;
+maintainers should dismiss them as test credentials only after verifying the
+exact literal appears in the allowlist.