chore: initial enterprise setup - governance, CI/CD, security hardening batch 1

Author: PrimeBuild-pc

.editorconfig

@@ -0,0 +1,32 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = crlf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+[*.{cs,csx}]
+dotnet_sort_system_directives_first = true
+dotnet_separate_import_directive_groups = false
+csharp_new_line_before_open_brace = all
+csharp_style_var_for_built_in_types = false:suggestion
+csharp_style_var_when_type_is_apparent = false:suggestion
+csharp_style_var_elsewhere = false:suggestion
+csharp_prefer_braces = true:warning
+dotnet_style_qualification_for_field = false:suggestion
+dotnet_style_qualification_for_property = false:suggestion
+dotnet_style_qualification_for_method = false:suggestion
+dotnet_style_qualification_for_event = false:suggestion
+dotnet_style_object_initializer = true:suggestion
+dotnet_style_collection_initializer = true:suggestion
+dotnet_style_predefined_type_for_locals_parameters_members = true:suggestion
+dotnet_style_predefined_type_for_member_access = true:suggestion
+
+[*.xaml]
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false

.github/CODEOWNERS

@@ -0,0 +1,11 @@
+* @PrimeBuild-pc
+
+# Core system and process management
+/Services/ @PrimeBuild-pc
+/ViewModels/ @PrimeBuild-pc
+/Platforms/ @PrimeBuild-pc
+
+# Build and release
+/.github/workflows/ @PrimeBuild-pc
+/build-release.ps1 @PrimeBuild-pc
+/setup.iss @PrimeBuild-pc

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,48 @@
+name: Bug Report
+description: Report a reproducible bug in ThreadPilot
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please include clear reproduction steps and environment details.
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      placeholder: 1.1.0
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: Windows Version
+      options:
+        - Windows 11
+        - Windows 10 22H2+
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Reproduction Steps
+      description: Step-by-step instructions to reproduce the issue
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs and Diagnostics
+      description: Include relevant app logs and stack traces

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security Report
+    url: https://github.com/PrimeBuild-pc/ThreadPilot/security/advisories/new
+    about: Report vulnerabilities privately using GitHub Security Advisories.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,27 @@
+name: Feature Request
+description: Suggest an improvement for ThreadPilot
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem Statement
+      description: What problem are you trying to solve?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed Solution
+      description: Describe your preferred solution
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+  - type: textarea
+    id: impact
+    attributes:
+      label: Impact Areas
+      description: Process management, affinity, power plans, UI, performance, etc.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,25 @@
+## Summary
+
+Describe what changed and why.
+
+## Type of Change
+- [ ] Bug fix
+- [ ] Feature
+- [ ] Refactor
+- [ ] Documentation
+- [ ] Security hardening
+- [ ] Performance improvement
+
+## Validation
+- [ ] Built Debug and Release successfully
+- [ ] Ran automated tests
+- [ ] Verified impacted UI flows
+- [ ] Verified no secrets/credentials introduced
+
+## Security and Risk Notes
+List any impact on elevation, process control, power plan operations, or persisted configuration.
+
+## Checklist
+- [ ] Updated docs where relevant
+- [ ] Added or updated tests where relevant
+- [ ] Kept changes scoped and backwards compatible where possible

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: nuget
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - security

.github/workflows/ci-devsecops.yml

@@ -4,9 +4,14 @@ on:
   push:
     branches: ["main", "master"]
   pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
 
 jobs:
-  build-and-scan:
+  build-test-scan:
     runs-on: windows-latest
 
     steps:
@@ -19,42 +24,63 @@ jobs:
           dotnet-version: "8.0.x"
 
       - name: Restore
-        run: dotnet restore "ThreadPilot.csproj"
+        run: dotnet restore "ThreadPilot_1.sln"
+
+      - name: Verify formatting
+        continue-on-error: true
+        run: dotnet format "ThreadPilot_1.sln" --verify-no-changes --verbosity diagnostic --report dotnet-format-report.json
 
       - name: Build Debug
-        run: dotnet build "ThreadPilot.csproj" --configuration Debug --no-restore
+        run: dotnet build "ThreadPilot_1.sln" --configuration Debug --no-restore
 
       - name: Build Release
-        run: dotnet build "ThreadPilot.csproj" --configuration Release --no-restore
+        run: dotnet build "ThreadPilot_1.sln" --configuration Release --no-restore
 
-      - name: Dependency Audit
-        run: dotnet list "ThreadPilot.csproj" package --vulnerable --include-transitive
+      - name: Run tests
+        run: dotnet test "ThreadPilot_1.sln" --configuration Release --no-build --verbosity normal
 
-      - name: Secret Scan (Gitleaks)
+      - name: Dependency vulnerability audit
         shell: pwsh
         run: |
           $ErrorActionPreference = "Stop"
+          $audit = dotnet list "ThreadPilot.csproj" package --vulnerable --include-transitive
+          $audit | Out-String | Write-Host
+
+          if ($LASTEXITCODE -ne 0) {
+            throw "dotnet list package --vulnerable failed."
+          }
+
+          if ($audit -match "has the following vulnerable packages") {
+            throw "Vulnerable packages detected."
+          }
 
+      - name: Secret scan (Gitleaks)
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
           $version = "8.24.3"
           $baseUrl = "https://github.com/gitleaks/gitleaks/releases/download/v$version"
           $zipAsset = "gitleaks_${version}_windows_x64.zip"
           $tarAsset = "gitleaks_${version}_windows_x64.tar.gz"
 
-          Write-Host "Installing Gitleaks v$version"
-
           try {
             Invoke-WebRequest -Uri "$baseUrl/$zipAsset" -OutFile "gitleaks.zip"
             Expand-Archive -Path "gitleaks.zip" -DestinationPath ".\\gitleaks-bin" -Force
           }
           catch {
-            Write-Host "ZIP download failed, trying tar.gz fallback"
             Invoke-WebRequest -Uri "$baseUrl/$tarAsset" -OutFile "gitleaks.tar.gz"
             New-Item -ItemType Directory -Force -Path ".\\gitleaks-bin" | Out-Null
             tar -xzf "gitleaks.tar.gz" -C ".\\gitleaks-bin"
           }
 
           $gitleaksExe = Resolve-Path ".\\gitleaks-bin\\gitleaks.exe"
-          & $gitleaksExe version
+          & $gitleaksExe detect --source "." --redact --verbose --report-format json --report-path gitleaks-report.json
 
-          # Scan working tree for hardcoded secrets.
-          & $gitleaksExe detect --source "." --redact --verbose
+      - name: Upload security artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-reports
+          path: |
+            gitleaks-report.json
+            dotnet-format-report.json

.github/workflows/dotnet-desktop.yml

@@ -1,10 +1,7 @@
-name: .NET Build
+name: .NET Compatibility Build
 
 on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
+  workflow_dispatch:
 
 jobs:
   build:

.github/workflows/release.yml

@@ -0,0 +1,58 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  build-and-release:
+    runs-on: windows-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "8.0.x"
+
+      - name: Restore
+        run: dotnet restore "ThreadPilot_1.sln"
+
+      - name: Build
+        run: dotnet build "ThreadPilot_1.sln" --configuration Release --no-restore
+
+      - name: Publish self-contained app
+        run: dotnet publish "ThreadPilot.csproj" --configuration Release --runtime win-x64 --self-contained true -o artifacts/release/win-x64
+
+      - name: Create release package
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
+          $version = "${{ github.ref_name }}"
+          $zipName = "ThreadPilot_$version`_win-x64.zip"
+          Compress-Archive -Path "artifacts/release/win-x64/*" -DestinationPath "artifacts/release/$zipName" -Force
+
+      - name: Generate checksums
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
+          $hashFile = "artifacts/release/SHA256SUMS.txt"
+          Get-ChildItem "artifacts/release" -File | ForEach-Object {
+            $hash = Get-FileHash $_.FullName -Algorithm SHA256
+            "$($hash.Hash)  $($_.Name)" | Out-File -FilePath $hashFile -Append -Encoding utf8
+          }
+
+      - name: Publish GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            artifacts/release/*.zip
+            artifacts/release/SHA256SUMS.txt
+          generate_release_notes: true